Published on December 22, 2018, Updated on April 4, 2022
As service providers gather increasingly personal levels of information across larger and larger cross-sections and demographics, the government has worked hard through legislation and compliance laws to ensure those providers do everything possible to protect that data. One component of these requirements includes what must be done with personal data once a company no longer has need of it and it’s no longer required to be kept on file. In many cases, the legislation requires service providers to procure and keep on file a Certificate of Destruction to verify that data has been destroyed in a way that it could no longer be retrieved.
Necessary Components Track Chain of Custody
Certain information should be included in order to create a thorough document that meets the criteria outlined by compliance requirements:
- Unique serialized tracking number.
- Date, location, and agreement to assume custody of data.
- Terms and conditions agreed to by the two parties as to the destruction of data.
- Acceptance of fiduciary responsibility by the organization destroying the data, to assume liability to maintain confidentiality of the data while it’s in provider’s possession.
- Date liability assumed, date of destruction, location of destruction, and witness.
Regulatory Compliance Requirements
While there are numerous local- and state-level data protection requirements, there are several major government legislative compliance laws that require service providers to obtain Certificates of Destruction when acceptable methods of information disposal are followed, which include the use of software to overwrite media, data purging through degaussing, or total destruction of the media through means such as pulverization, incineration, or shredding.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA): Controls how personal health information must be managed by medical service providers.
- Gramm-Leach-Bliley Act: The Financial Modernization Act of 1999 specifically outlines how financial institutions must handle personal data.
- Fair and Accurate Credit Transactions Act of 2003 (FACTA):An amendment to the Fair Credit Reporting Act to improve accuracy of consumer credit records and to increase provisions for tracking and reporting identity theft. While the Dodd-Frank Act transferred many of FACTA’s requirements to other organizations and legislation, requirements for the destruction of credit-related data remains under FACTA.
This is not an exhaustive list by any means, but it provides an idea of the types of protections that are in place and why Certificates of Destruction are such a crucial component in the lifecycle of private consumer data.
A Data Destruction Service Devoted to a Greener Planet
To alleviate the burdens on businesses of managing the disposal of outdated data storage mediums, 1 Green Planet offers free disposal of appliances and technology, as well as data destruction services in line with federal requirements, complete with providing complete Certificates of Destruction. Contact us today to set up a pick up or arrange to drop off your equipment.
More about Hospitals IT Equipment eWaste Recycling Services.