The Information Commissioner’s Office (ICO) is urging consumers to take better care of their data, following an investigation into the trade in used hard drives. The ICO has published new guidance to help individuals securely delete personal information from their old devices.
An investigation by the ICO found that one in ten second-hand hard drives sold online may contain residual personal information. An ICO survey also found that 65% of British adults now hand on their old phones, computers and laptops to another user, with 44% giving it away to somebody else for free and around one in five (21%) selling it to somebody else.
In December 2010, the ICO asked a computer forensics company – NCC Group – to source around 200 hard drives, 20 memory sticks and 10 mobile phones. The devices were mainly bought online from internet auction sites and some were sourced at computer trade fairs. The devices were then searched, initially without any additional software, and then interrogated using forensic tools freely available on the internet.
The research found that, while 52% of the hard drives investigated were unreadable or had been wiped of data, 48% contained information and 11% was personal data. The amount of personal data found on the mobile phones and memory sticks was negligible.
In total 34,000 files containing personal or corporate information were recovered from the devices. At least two of the hard drives contained enough information to enable someone to steal the former owner’s identity. The residual documents included scanned bank statements, passports, information on previous driving offences, and some medical details. A further four hard drives contained information about the employees and clients of four organisations, including individuals’ health and financial details.
All four organisations were contacted and have now taken action to ensure people’s information is securely deleted from redundant equipment, or the equipment is destroyed as necessary. One company – Safe and Secure Insurances Services Limited – have also signed an undertaking to introduce further improvements.
Announcing the outcome of today’s report, Information Commissioner, Christopher Graham said:
“We live in a world where personal and company information is a highly valuable commodity. It is important that people do everything they can to stop their details from falling into the wrong hands. Today’s findings show that people are in danger of becoming a soft touch for online fraudsters simply because organisations and individuals are failing to ensure the secure deletion of the data held on their old storage devices.
“Many people will presume that pressing the delete button on a computer file means that it is gone forever. However this information can easily be recovered.
“The ICO has published guidance to help individuals securely delete information stored on their old devices. We hope this publication will help people to take better control of their personal data.”
We have also published a survey to coincide with the research project looking at people’s attitudes towards data disposal. The survey shows that 65% of people now hand on their old phones, computers and laptops to another user with 44% giving it away to somebody else for free and around one in five (21%) selling it to somebody else.. This figure rises to 31% of 18 – 24 year olds selling their mobile phone, computer or laptop to somebody else.
The survey also found that an alarming one in ten people who have ever disposed of a mobile phone, computer or laptop, said that they had never deleted information held on a device before disposing of it, potentially allowing their data to be accessed by the next person who used it.
View the ICO’s report on unscrubbed hard drives (pdf)
Read the full results of the ICO’s survey into attitudes about data destruction (Excel file)
Read the ICO’s advice for individuals on how to securely delete their information from an old device
The ICO will also be publishing more detailed guidance for organisations shortly.
Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter. Our Press Office page provides more information for journalists.
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Not transferred to other countries without adequate protection
5. If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at www.ico.gov.uk