S 2.515 Deletion/destruction in compliance with data protection

Initiation responsibility: Top Management

Implementation responsibility: IT Security Officer, Data Protection Officer

Secure deletion of magnetic data media

Both from a data protection point of view and from an information security point of view, it must be ensured that the data is deleted securely, i.e. completely and irreversibly when deleting sensitive or confidential data from magnetic data media. Simple deletion commands of the respective operating system or formatting the data medium are normally insufficient for this, because the data can easily be reconstructed with freely available software tools. Data to be deleted securely must be rendered illegible by physical safeguards (mechanical or thermal destruction, or destruction by magnetomotive force of the data medium) or by being overwritten several times. When deleting by overwriting, the specific particularities of managing and storing data must be taken into consideration, e.g. the existence of backup copies, of temporary and paging files automatically generated by the system or individual applications, or of journal files for certain file systems.

From a data protection point of view, there are the following recommendations in this context:

• The complex of problems regarding the secure deletion of data requires raising the awareness of the decision-makers responsible, Administrators, Security and Data Protection Officers, as well as each and every user. This can be achieved by appropriate briefing and training.
• In the respective field of responsibility, technical-organisational safeguards ensuring secure data deletion must be defined. These must be integrated into the comprehensive data protection concept and/or security policy. In particular, safeguards must be defined before selling, leasing, disposing of, returning, repairing, or maintaining data media.
• The safeguards must be supported by specific instructions for secure deletion. These instructions must take into consideration the protection requirements of the data to be deleted, as well as the time and expenditure required for possible data recovery.
• Data worthy of protection must be stored to data media in an encrypted manner (as far as possible). For this, encrypted file systems should be used. Encrypted file systems should also be used for temporary and paging files, as well as for backup copies, because these may also contain data worthy of protection.
• Data on intact data media must be deleted by completely overwriting them with random numbers once or several times. For this, specific software tools may be used. The use of uniform overwriting patterns during deletion is not recommendable, because these do not provide any protection against comprehensive laboratory analyses.
• When deleting data of any kind, the data medium should be completely overwritten with random numbers once. The overwrite procedure used should consist of at least two, preferably three overwrite runs. During the second run, the data pattern (bit sequence) used to overwrite the data medium should be the binary complement of the pattern used in the first run. Random data is recommended for the third run. This enhances the protection.
• If data medium which is still intact is to be sold, leased, disposed of, returned, or used differently, the entire data medium must be overwritten completely with random numbers beforehand. This form of recycling then allows for the further use of the data medium (e.g. new installation of an operating system).
• Selectively deleting individual files by overwriting is usually problematic. This is only suitable if it is ensured that no copies of the data contained in these files were stored to different locations (e.g. in temporary files, paging files, or backup copies) or if these locations can be determined unambiguously and the copies can be deleted securely. Furthermore, it must be ensured that the metadata of the deleted files are overwritten should they contain sensitive information.
• When defining technical-organisational safeguards and instructions for deletion by overwriting, suitable software tools must be selected, evaluated, and provided for the corresponding users based on a criteria catalogue. The use of the tools must be checked randomly.
• Faulty data media, the data of which can no longer be overwritten with software tools, must be rendered useless by means of mechanical or thermal destruction (diskettes, hard disks) and or by magnetomotive force (diskettes). In order to ensure the reliability of the procedures, proper application must be ensured.
• If data media must be forwarded without securely deleting the data (e.g. repair, return to the manufacturer during the warranty period), undesired flows of information or the exploitation of undesired flows of information by attackers must be prevented depending on the sensitivity of the data with the help of contractual provisions and possibly including claims for damages. If required, warranty claims must be relinquished.

Destroying documents

Since documents are generally disposed of and destroyed in several steps, all security aspects from intermediate storage in paper bins or collection containers or the collection of documents at the workplace via transport and central depositing up to the actual destruction process must be taken into consideration.

General requirements

If there are no relevant area-specific rules for destruction, the destruction of documents containing personal data in the public offices of the federal government and in the non-public area is subject to the Federal Data Protection Act and otherwise the respective state data protection laws.

Here, the technical and organisational safeguards required in order to ensure the data is processed in accordance with the provisions of this act must be taken; this is also applicable to the processing step "destruction". Safeguards are only required if the time and expenditure required are in an appropriate proportion to the protection purpose aimed at. If personal data is processed in non-automated files or in paper files, safeguards particularly preventing any access of unauthorised persons during processing, storage, transport, and destruction must be taken.

As a matter of principle, an office remains responsible for the security of the data in documents to be destroyed until the personal data contained in the documents may be deemed deleted within the meaning of the data protection laws, i.e. when destruction is complete. The office concerned must therefore have the unlimited power of disposal regarding all documents containing personal data until these are destroyed. In particular, documents to be destroyed containing personal data must not be transferred to the property of third parties before completion of destruction.

The condition in which the documents may be deemed destroyed must be defined. As an orientation, standard DIN 66399 (Destruction of data media) can be referred to at this point. Accordingly, the destruction of information media is sufficient if the information media is destroyed in such a way that reproducing the information contained thereon is only possible using a large amount of persons, resources, and time (security level 3).

It is also applicable to the destruction of documents that the office concerned must check the proper performance of the destruction at regular intervals. This means that the office concerned must be familiar with the entire technical process or the procedure particularly if the destruction was contracted to an external service provider. A person or organisational unit should be commissioned in writing with checking the destruction of documents.

Destroying documents autonomously

The prime principle should be that the documents are destroyed by the offices classifying the documents as disposable as quickly as possible. Intermediate storage and forwarding of the documents across many people are prone to error and require precise regulations and controls. Accordingly, immediate destruction of the documents by the office responsible provides efficient data protection. There must be a written regulation as to how employees must destroy their documents. Apart from that, the employees must be obliged to safely store their documents until the time of destruction.

If documents are destroyed centrally, the entire procedure must be governed by written regulations. For example, this is applicable to central collection points with special protection requirements, as well as for transportation to the collection points. The security of the documents to be destroyed must be guaranteed until they are delivered to the collection point. If the documents are collected by a central service, this phase must also be examined from a security point of view. The destruction of documents must be documented appropriately.

Destruction of documents by external service providers

If documents are destroyed by external service providers as "commissioned data processing", the entire handling and protection of the documents between transfer and completion of destruction must be stipulated contractually. The transport, any intermediate storage required, the destruction site, and the longest admissible period between document transfer and completion of destruction must be defined. Furthermore, the condition the documents must have in order to be deemed destroyed must be defined in writing. The contractor must guarantee that no unauthorised persons may obtain information about the data stored in the documents. The transfer of the documents to the commissioned company should be acknowledged and the performance of each destruction should be confirmed in writing. It is generally applicable that concluding sub-contracts must be excluded as far as possible.

The office concerned must be able to dispose of its documents in an unlimited manner until completion of destruction. Therefore, the documents must remain part of its property until completion of destruction. This also includes that the documents must not be mixed with third-party documents before being destroyed. Thus, the fact that the customer and the Data Protection Officer responsible are entitled to perform controls until completion of destruction must be agreed upon with the contractor.

The provisions for commissioned data processing can be found in safeguard S 2.511 Regulation of commissioned data processing regarding the processing of personal data.

Review questions:

• Are data media containing personal data deleted and/or destroyed securely?
• Does the Data Protection Officer perform regular controls of data media containing personal data being deleted and/or destroyed in accordance with the data protection?