Investigation into disposal of electronic data

(CNS): The disposal of electronic data storage containers (EDSCs), which can contain confidential information, is the subject of an Own Motion Investigation by the Office of the Complaints Commissioner. The OCC investigation will look into the Asset Disposal Policy of the chief officers of all ministries and portfolios to determine whether government is properly disposing of EDSCs when they are no longer of use to government.

According to the OCC, EDSCs include computer hard drives, disks, diskettes, CDs, DVDs, UBS thumb drives, tapes, smart cards, plus scanner, photocopier, camera and fax machine memory chips and PDAs, as well as any other equipment containing any form of EDSC. Some EDSCs are used to store information electronically which is either private, confidential, privileged or pertaining to national security.

All chief officers were notified by letter on 21 January 2009 that the OCC was starting an investigation as to whether electronic data in their ministry or portfolio was being disposed of properly – defined as meeting the US Department of National Defence’s (or equivalent) standards for wiping data from these containers, or where appropriate destruction of the container.

The potential outcomes range from a public declaration confirming the good work of individual chief officers through to a finding of maladministration against individual chief officers and recommendations for improvement, the OCC release stated. Chief Officers were asked to take steps to preserve any and all evidence that may relate to the topics under investigation.

They were also asked to deliver to the Commissioner’s Office by 28 January: the policy of their ministry as a whole for the disposal of EDSCs, including each department’s policy if they have been delegated that responsibility, and proof of that delegation; if the policy is to turn over EDSCs to the Computer Services Department for disposal, to provide a copy of that service agreement; if their ministry has no policy, to provide information on what is done with EDSCs that are no longer in use.

Complaints Commissioner Dr John Epp said about half have so far responded. “The responses have been mixed, with some officers producing a policy which does, at first read, appear to be in good order.”

The Commissioner anticipates that the first stage of the investigation will be completed in one month if full cooperation is given.

A release from the OCC points out that, under the Public Management and Finance Law (2005), it is the responsibility of Chief Officers to dispose of government assets, and there is some evidence that assets which store information electronically are not properly erased before disposal. Therefore, in accordance with the Complaints Commissioner Law (2006R), Complaints Commissioner Dr John Epp has determined that there are reasons of special importance which makes an investigation by the OCC desirable in the public interest.

The Financial Regulations (2008R) states that each Chief Officer needs to implement an appropriate system of internal controls, and further that assets are publicly owned and must be accounted for during their use or disposal. Under the Public Service Management Law 2007, data that is stored in the asset must be protected and contracts of use of software must be honoured.

This investigation has been determined to be of special importance and in the public interest because of the obligation on government to properly safeguard sensitive information in its possession and the harm that might come to individuals and organizations if sensitiveinformation was left unprotected when EDSCs leave the control of government.