Skip to main content
Menu

Sensitive data disposal (2017)

Request

  1. How you currently dispose/deal with the destruction of sensitive data.
  2. How you currently dispose of items defined under the WEEE regulations.
  3. What External company you contract with (If any).
  4. The average costs that the disposal of these items incurs.

 

 

Response

You have asked a number of questions about the disposal of data which we have sought to answer below.  Please note that, as it wasn’t immediately evident that your request was for the disposal of electronic or hard copy data, for questions 1, 3 and 4 we have provided you with details of both.

  1. How you currently dispose/deal with the destruction of sensitive data
    This information is held by the House of Commons.  The destruction of sensitive data is dealt with in accordance with records management policies.
    A contracted confidential waste disposal service, which meets the BS EN 15713 standard, is provided for the disposal of sensitive paper documents.
    Sensitive data held within IT equipment is disposed through a contracted service. Their processes and site are approved by HMG security services  (NCSC and CPNI) to handle, store and eradicate protectively marked data classified as up to “Secret”. 
  2. How you currently dispose of items defined under the WEEE regulations
    This information is held by the House of Commons.  We dispose of items through a contractor that holds certification to the following standards:
    • BS EN ISO 9001:2008  Quality Management
    • BS EN ISO 14001:2004  Environmental Management
    • BS ISO 27001:2013  Information Security Management
    • BS OHSAS 18001:2007  Occupational Health & Safety Management
    • PAS 99:2012  Integrated Management System
    • PAS 141:2011 the British standard for reuse of used and waste electrical and electronic equipment (UEEE & WEEE)
    The contractor holds a permit to operate as a WEEE Authorised Approved Treatment Facility to receive, treat and store WEEE and issue evidence notes to WEEE Producer Compliance Schemes for Obligated WEEE. They operate in compliance with all applicable UK environmental and waste management regulations covering IT media, packaging and office waste. The recycling processes are carried out in accordance with the contractor’s Environmental Management System certificated to the International Environmental Management System Standard, BS EN ISO 14001:2004.
  3. What external company you contract with (if any)
    This information is held by the House of Commons.  However, the details of the contractors that dispose of sensitive data and equipment is, in itself, sensitive information which is withheld from release in accordance with the following sections of the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations (EIR):
    National security
    The name of the companies contracted to dispose of sensitive data is exempt under section 24(1) FOIA and section 12 (5) (a) EIR, as disclosure of such information would be detrimental to the safeguarding of national security. This is a qualified or non-absolute exemption and the public interest test applies.
    There is a natural concern from the public that the measures in place to safeguard national security are effective. The House holds a large amount of personal and sensitive data and it is natural that individual members of the public would seek reassurance that this is properly destroyed at the appropriate time.  Any transparency relating to the way the House of Commons ensures that its data handling systems and processes are as secure as possible would reassure those reasonable concerns.
    However, we have also considered the public interest in withholding information detailing how we ensure that sensitive information is destroyed. In this case we have concluded that the disclosure of the name of our contractors may assist the design of attacks against both them and our collection/destruction processes, which in turn is likely to impact on national security. Groups planning attacks are known to conduct extensive research into the opposition they might face, and to disclose this information could potentially make the companies (and our processes for destruction) a key target. For these reasons we have concluded that it is not in the wider public interest to disclose this information.
    Law enforcement
    This information is also exempt under section 31 (1) (a) FOIA and section 12 (5) (b) EIR, as the House considers that releasing this information would be likely to prejudice the prevention or detection of crime. This is a qualified or non-absolute exemption and the public interest test applies.
    In favour of disclosure is the argument of transparency and openness through providing details relating to the way the House of Commons handles sensitive information, the benefits of enhancing public knowledge of how the House of Commons operates and of reassuring the public that this is done securely.
    However, this is outweighed by the risks of criminal activity being undertaken if the information was disclosed. The release of the name of our data disposal contractors would make them a target for unscrupulous individuals wishing to access sensitive information for criminal gain. We would fail in our duty to help prevent such criminal attacks on the contractors or our own staff during the removal process, and subsequently our duty to assist those services providing us with law enforcement. In these circumstances it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
  4. The average costs that the disposal of these items incurs.
    This information is not held by the House of Commons.  A record of any “average cost” is not kept by the House.  However, it may help you to know that the cost to dispose of sensitive paper data in 2016/17 was £13,818.  The costs to dispose of sensitive electronic information vary widely depending on the type of equipment, when and where it was collected, etc.