Last updated: 22nd November 2021
The Right Advice (“the Company”) holds and processes a large amount of data and has a legal responsibility to ensure that all data held continues to be stored safely. Additionally, the data subject has the right to expect that this data remains secure for as long as it’s held and is subsequently securely disposed of.
This policy sets out the requirements for disposal for confidential information whether stored in electronic or a durable medium.
||Secure disposal means the process and outcome by which information, including information held on IT equipment is irretrievably destroyed in a manner which maintains the security of the equipment and information during the process and up to the point of irretrievable destruction.
||All devices used by The Right Advice staff (“the Users”) to access adviser, customer and third-party company held data.
|| Information means all information held whether stored electronically on IT Equipment or manually and held and recorded in paper format.
3. Policy Principals
3.1. Electronic information
The Company collects and processes the personal data set out in Part 21 of the Data Protection Policy. This may include personal data received directly from data subjects (for example, contact details used when a data subject communicates with us) and data received from third parties (including, but not limited to: lenders, insurers, other networks and other financial institutions).
- Destruction of electronic records and storage devices should be carried out by a suitably capable third-party IT specialist;
- Information must be irretrievable and the destruction process must be such that information cannot be retrieved in any form;
- Where an overwrite procedure fails to destroy the information irretrievably, the equipment shall be physically destroyed to the extent that the information contained is also irretrievably destroyed;
- For the avoidance of doubt, removable digital media including, but not limited to, CDs, DVDs, USB drives and external hard drives shall if not successfully overwritten, be physically destroyed to the extent that all information contained is irretrievable;
- All IT Equipment marked for disposable must be stored securely until such a time as the information has been suitable destroyed inline with this policy;
- Information held within cloud-based and online systems including, but not limited to The Key, Zoho, InfusionSoft, WordPress, Survey Monkey and Eventbrite must be destroyed to the extent possible to be classed the information as irretrievable.
3.2. Tangible Information
Destruction of confidential waste must be complete:
- Confidential waste must be kept secure and protected against accidental loss, damage or unauthorised access up until its final destruction;
- Paper must be disposed of using the Company’s secure disposal bins provided;
- These bins are administered by a GDPR compliant third-party provider, SimplyShred, who provide a fortnightly onsite shredding service whereby the Company receive a certificate of destruction upon completion. All paper they shred is then recycled;
- A certificate of destruction is provided;
- Bagged waste awaiting collection must be kept secure at all times;
- Only authorised personnel or an approved contractor should handle the waste.
4. Device Specific Information
4.1. Mobile Phones
- Prior to destruction of Company mobile phones, all information must be removed by restoring the phone to factory default settings;
- Once the phone has been restored to factory default settings a final check is carried out to ensure no data is irretrievable from the device.
4.2. Computer/Laptops/Hard Drives
- The Company uses a third party GDPR compliant IT specialist, Jay Webb Consultancy, to carry out the destruction of Company computers and laptops;
- Jay Webb Consultancy ensure all Company computers and laptops are erased of all information data prior to destruction;
- Confirmation of destruction is sent to the Company upon completion.
5. Out of Date Information
All staff have an obligation to destroy inaccurate, out of date or no longer relevant data stored on IT Equipment. However, before doing so they must first consult the Data Protection Officer for approval and guidance as to how to proceed.
6. Breach Reporting
All staff should immediately report any breaches or suspected breaches to this policy to the Data Protection Officer, Adam Stretton on firstname.lastname@example.org upon becoming aware of it.