Deleting personal information from mobile phones and other devices is a ctitical part of data security and protecting the privacy of individuals under the Privacy Act
February 7, 2014 |
Phones, cameras and the ubiquitous USB stick pose a real and growing problem for organisations trying to maintain data security. The storage of data on those devices as well as photocopiers can easily become a data breach if they are not wiped clean when decommissioned. The growing phenomana of BYODs and the development of the internet of things makes this problem as big a data risk as a hacking attack.
The UK Information Commissioner’s office has provided some helpful hints on how to deal with personal information left on mobile devices in their now many incarnations with Deleting your data from computers, laptops and other devices.While the ICO goes through the various options if an organisation is upgrading its mobiles or laptops serious consideration should be given to physical destruction if the data employees regularly handle are sensitive information as defined in the Privacy Act. That this particularly so if the resale price of the devices is relatively small. The consequences of deletion software not working properly or a software failing to scrub a hardrive can be a civil penalty proceeding. It is not worth it.
Under the Australian Privacy Principles, which come into effect on 12 March 2014,having proper processes to delete personal information on decommissioned devices is a critical aspect of maintaining data security. Having the processes are, of course, only the start. Actually doing it is critically important.
The ICO’s commentary provides:
Getting rid of your computer? Laptops, mobile phones and other devices may contain personal information that you wouldn’t want others to see, such as passwords and credit card information.
It’s important to properly delete any personal information before you sell or dispose of your hardware, so that it cannot be accessed by anybody else either by mistake or for malicious purposes.
Personal data can be stored on any device with a permanent memory, including desktop and laptop computers, external hard drives, games consoles, mobile phones, tablets, faxes, printers, and removable memory such as that found in digital cameras. When deciding what to do, consider the type of media the data is stored on and whether or not this is easily accessible.
Options for secure deletion |
Pros |
Cons |
Physical destructionThis involves physically destroying the media so that it can no longer be used. |
Once destroyed, data on the media will not be recoverable except using specialist, expensive equipment.
You can destroy the media without specialist equipment. If you can remove the media you can destroy it separately and leave the device intact. This is a good method of destruction for removable media such as CDs and DVDs. |
You will have to replace the destroyed media with a new storage facility if you want to use the device again.
If you are not able to remove the media from the device you will have to destroy the device itself. Removing the media may invalidate the warranty. Fragment particles raise health, safety and environmental concerns. Consider specialist help for devices with hazardous elements eg mobile phones and batteries. |
Secure deletion softwareThis involves using software to overwrite data one or more times. |
Simple and cheap.
The media can be reused once the overwriting is complete. |
Large drives may take some time to overwrite multiple times.
Ineffective on some media such as write-once CDs. It may be difficult or impossible to remove the media from the device. |
Restore to factory settingsMany devices offer a function to ‘Restore to factory settings’. This will return the device to the state in which you bought it. |
Can be used on devices which do not have removable or otherwise accessible storage media. | This method relies on the device manufacturer to have implemented a secure wiping stage into the factory reset process.
You should check with the device manufacturer to determine if this is sufficiently secure. |
Send to a specialistThere are many organisations which will securely delete data from a range of devices and types of media. These organisations will destroy or overwrite your data on your behalf. |
A specialist organisation may be able to return, reuse or recycle your media or device after they have securely deleted your data. | You will need to check the organisation’s processes to be sure that your data will be securely deleted.
If you can, you should perform another secure deletion method or at least a ‘restore to factory settings’ before you send a device to a specialist organisation. |
FormattingFormatting media recreates the data structures and file system. |
A full format can be used in conjunction with overwriting to provide further assurance that data cannot be recovered. | A reformat is not sufficient to securely delete data because the data can be easily recovered using freely available software. |
Where will I find my data?
Desktop and laptop computers will have a hard drive inside where your data is stored. Above you’ll see some common types of hard drives found in PCs and laptops.
Don’t forget that you may have personal data stored on other memory types such as USB drives, CDs and DVDs and SD cards (eg in a camera or mobile phone).
My data is in the cloud. How do I delete this securely?
Securely deleting data from the cloud or other remote storage service cannot be achieved by you running overwriting software. You should contact your cloud provider to see what service they offer to securely delete the data.
Where do I get overwriting software from?
Software products which can perform the secure deletion of data are available from IT security firms. There are also other software products (often free) which you can download and use. However, when obtaining software from the internet you should make sure this comes from a reputable source and that you review evidence that the software has been tested against the claims that it makes.
I cannot decide between physical destruction and overwriting.
In choosing between physical destruction and overwriting, the main point to consider will be whether or not you want to use the media again. Physical destruction will completely destroy the media so it is only appropriate if you are sure that you do not want to use it again.
Can I get someone else to securely delete data from my equipment?
Yes. If you are not confident in performing the deletion yourself you can get assistance from a professional who has experience in this area.