S 2.432 Policies for the deletion and destruction of information

Initiation responsibility: IT Security Officer, Head of IT, Data Protection Officer

Implementation responsibility: Employee

Information must be deleted securely when data media are disposed of and when legal retention periods are exceeded. Having standard procedures helps to prevent the misuse of the stored data. The information on the data media must be deleted before transfer or disposal so that the reconstruction of the information can be ruled out with high probability. It must also be checked whether the information on any data media received needs to be deleted reliably when it is processed for its intended purpose or transferred to other data media, for example for the purpose of archiving the data.

Objectives

The objective of this policy is to motivate and raise the employees' awareness of the subject of the deletion or destruction of data. It should help you select the right procedures and tools for the deletion or destruction of data requiring protection. Which procedure is the most suitable for deletion or destruction depends on the type of data media used, their storage technologies, and the protection requirements of the information. Regular checks must be performed to ensure that the policy is followed.

Scope

The policy should take the data media most often used at the present time in the organisation into account. The data media must first be categorised as being analogue or digital media. The digital media can be further categorised into electromagnetic (such as hard disks, diskettes and magnetic tapes), optical (such as CDs or DVDs), magneto-optical (MO disks), and flash EEPROM (such as USB sticks) media.

The protection requirements of the data generated must be assessed. In addition, appropriate deletion methods must be selected and made mandatory for each type of data media.

Legal regulations and internal regulations

This overview should point out which legal regulations (such as data protection laws, for example) must be followed when deleting data and destroying data media. However, references should also be made to sets of rules that have become standards such as the ISO standards and any standard internal specifications in the organisation.

Responsibilities

In this section, the responsibilities of the roles and positions are defined. In particular, responsibilities must be defined for the following roles: employee, supervisor, administrator, auditor, Data Protection Officer and IT Security Officer.

Contact person

The policy should contain a contact person and contact information (telephone, e-mail etc.) for the employees who can answer any questions relating to the deletion of information or can point out where this information can be found. It should be noted, though, that stating too many different contact persons often leads to confusion. It is usually better to state just a few contact persons who can then refer the users to the correct location when needed (help desk concept).

Procedure

The policy must state which methods are available and are used in the organisation for the purpose of secure deletion. In most cases, every different type of storage media will require the use of a different method or procedure. The policy must describe how and when the users are required to delete information.

If other data media not mentioned in the policy need to be erased, then the general ideas of policy should be applied to the greatest extent possible.

Updating

Since technology is constantly changing, the policy will need to be revised regularly so that the deletion and destruction methods described are also suitable for new types of data media. This also applies to any data media that have not been considered or documented yet. If necessary, new procedures must be developed and applied.

Review questions:

© Federal Office for Information Security. All rights reserved.