11

I have been hunting around for a couple of weeks trying to find what the current standards for sensitive data destruction in the EU/UK are.

If you look at the destruction companies they have several answers BS EN: 15713:2009 comes up a lot, but so does DIN 66399 which some places put an EN in front of making it a EU standard. on top of that, a lot of places refer to the UK HMG IA 5 standard, but they have been superseded. The latest standard I can find is the April 2014 CPNI Standard secure destruction of sensitive information.

But nothing seems to be as definitive as FIPS 880-88r1 and the CMRR research from UC:SD, but some of it contradicts these.

ypercubeᵀᴹ
  • 285
  • 1
  • 8
EnviableOne
  • 157
  • 8
  • 3
    Nuke the entire site from orbit--it's the only way to be sure – Aron Apr 14 '16 at 08:24
  • The nicest thing about standards is that there are so many to choose from. Can you give us a little background to your question? Is there some reason why you can't just choose one of BS EN:15713 or DIN 66399 and use that? – Graham Hill Apr 14 '16 at 14:54
  • @GrahamHill - I'd love to choose, but working inside the public sector, someone should have made the choice for me, but there doesn't seem to be anyone prepared to publish something to that effect – EnviableOne Apr 15 '16 at 15:17
  • Do you need to perform data destruction for regulatory reasons, or are you simply looking to implement 'best pratices'? – Daisetsu Apr 24 '16 at 02:28
  • @Daisetsu Its a compliance thing, but the guidance is useless and best practice is as clear as mud. – EnviableOne Apr 27 '16 at 09:09
  • [The Security Policy Framework](https://www.gov.uk/government/publications/security-policy-framework) (successor to the HMG IA standards) only mentions appropriate controls and doesn't define them – EnviableOne Apr 27 '16 at 09:18
  • Is it possible you could perform to all the standards you've found? Just picking the more intense of any 2 actions. – Daisetsu Apr 27 '16 at 16:53
  • @EnviableOne if you're in the UK then surely you should be using a CESG CCTM tool ? – Little Code Jun 15 '16 at 06:38
  • @LittleCode I have looked for the tool you mention, but I cant find it on the CESG site any idea on a link. The latest bit on CCTM i can find says its under review. – EnviableOne Jun 15 '16 at 08:54
  • https://www.cesg.gov.uk/searchtype/product?f[0]=field_product_certifications%253Afield_assurance%3A226&f[1]=field_product_type%3A68 (bear in mind those are only validated up to OFFICIAL marking, if you're working with high grade data then a different approach may well be needed) – Little Code Jun 15 '16 at 10:04

2 Answers2

2

I'm not 100% sure what the EU laws and guidelines would be however; I suspect it's left to the member states to decide what to issue in regards to deletion of personal information. with that said I found a PDF from the UKs Information commissioner’s Office (ICO) and they state in this document that...

...the ICO will adopt a realistic approach in terms of recognising that deleting information from a system is not always a straightforward matter and that it is possible to put information ‘beyond use’, and for data protection compliance issues to be ‘suspended’ provided certain safeguards are in place

information has been deleted with no intention on the part of the data controller to use or access this again, but which may still exist in the electronic ether. For example, it could be waiting to be over-written with other data.

information that should have been deleted but is in fact still held on a live system because, for technical reasons, it is not possible to delete this information without also deleting other information held in the same batch.

and in addtion to this in the next section it states.

The ICO will be satisfied that information has been ‘put beyond use’ if not actually deleted, provided that the data controller holding it:

  1. is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
  2. does not give any other organisation access to the personal data;
  3. surrounds the personal data with appropriate technical and organisational security; and
  4. commits to permanent deletion of the information if, or when, this becomes possible.

So I suspect that they, themselves do not know the best approach so are leaving it vague. As long as you make the effort to show you deleted it and tried to make it un recoverable then I guess they are happy with that. As you and Graham Hill (comments) suggested, I would go with an industry standard such as BS EN:15713 or DIN 66399.

Accessed 15 May 2016

ICO Website for newest guidelines (UK)

ICO PDF on deletion

octo-carrot
  • 316
  • 3
  • 12
1

ENISA is probably your friend here, taking a look at the ENISA report on Securing personal data in the context of data retention, there is a specific quote:

there are no norms and standards in place regulating how the destruction of data should take place.

along with the recommendation:

Provide clear instructions on the procedures that have to be followed at the end of the retention period, when the data are to be deleted securely.

So I would guess that there are no standards yet.

Colin Cassidy
  • 1,880
  • 11
  • 19