Whilst the disks and tapes can be reformatted or erased, there still remains the possibility that data could be retrieved from the disk, therefore the safest option for the protection of any confidential or sensitive information is to physically destroy it before disposing of it as normal waste.
These data storage devices may have a useful lifespan of several years. However if a stick is no longer being used and needs to be disposed of, and there is the possibility that it may have been used for the storage of any confidential or sensitive information, then physical destruction of the device is the safest way to guarantee that recovery of any data is impossible. Incineration or brute force will ensure that the device cannot be reused.
Traditionally, disposal of paper records has consisted of simple vertical shredding. However, this method is not suitable for confidential or restricted information. A cross-cut shredder is more effective for particularly sensitive documents or incineration. Again, specialist services may be employed, but these service providers must issue a certificate of destruction. A simple rule for paper documents is, if in doubt, shred it.
For information on media disposal in the NHS, visit nww.connectingforhealth.nhs.uk
:
 dispose of media in accordance with your organisation’s policy on records management and information security
 consider the content of the media being disposed of to determine whether it is of a confidential or sensitive nature, and use an appropriate disposal method

keep a log of all media that may contain sensitive information; update the log with removal or destruction certificates with the date of disposal
 obtain certificates of destruction for media disposed of using specialist services
 check out available recycling methods where possible.
 destroy the only copy of a record if it is not yet due for disposal under your organisation’s records retention guidelines
 discard media in the office waste without due care and attention to its contents and environmental implications, even if you believe the media to be obsolete and of no interest to a third party

reassign ownership of computer equipment, even obsolete equipment, to another party without considering all the legal implications of so doing.
© Crown Copyright, July 2008
Ref: 4159

The term ‘media’ is used here to describe all possible methods of storing information such as on:

the hard drive of your computer
 floppy disks, CDs and DVDs
 magnetic tape (generally used for backups)

USB memory sticks
 paper documents.
Most information and the media it is held on has a finite term of usefulness. Therefore at some point you will need to get rid of computer files, the computers themselves, disks and physical files.
In the past, disposal of media consisted of throwing it in the nearest bin or skip. This is no longer an option - it is illegal - for two reasons:
1 Security of data
Compliance with financial regulations, data security and the Data Protection Act all require that information, whether it is personal, organisational or financial, is held and disposed of securely. This is of particular relevance to the NHS for the protection of confidential patient and other personal or sensitive information.
2 Environmental protection issues
In the past magnetic media was dumped in landfill sites along with household and general rubbish.
However it was quickly realised that magnetic media does not break down and decay. It is therefore no longer lawful to dispose of magnetic media in this way.
Much of the information entrusted to you may be of a confidential, personal or sensitive nature, and it is important that the security of this information is preserved up to and including the point of disposal.
There have been numerous disclosures of sensitive information, for example, following the purchase of second hand computer equipment, or from discovery of electronic or hard-copy documents that have been discarded without due care and attention. These disclosures occur due to lack of or ineffective deletion of data from the media, allowing it to be retrieved by unauthorised users.
Your organisation is likely to have a policy for the secure handling and disposal of records under established record retention guidelines. You should in the first instance follow the guidance provided by your organisation for records management, information security and environmental policies in relation to this issue.
Once it has been decided that the information or storage media is no longer needed, there are different ways to securely dispose of the data and media, depending on the media type:
Whilst you can ‘delete’ files from the hard drive on your computer, the files are not actually physically destroyed and could still be accessible using widely available data retrieval software. This will only matter at the point where your computer has become obsolete and will no longer be used, or ownership of the equipment is being transferred outside your organisation.
It is likely, therefore, that specialist techniques for completely removing the data will be provided by your
IT support or by a reputable third party service provider.
If this service is outsourced, then the provider should issue a certificate to verify that the data removal has been completed. You must seek assurances that the data has been completely removed from the media before the computer is disposed of.
If the computer is likely to be reused, then further consideration must also be given to the licensing of any software that may still reside on the computer. Seek advice for this if you are not sure what to do.
Where computer hardware is to be scrapped, this must be done in a manner which complies with the Waste
Electronic and Electrical Equipment (WEEE) directive.
There are many specialist waste disposal service providers who could be used for this.
Some CDs and DVDs can only be written to once; others may be rewritable. However, in either case, in order to be sure that the data is adequately protected, the best method for disposal of these disks is to physically destroy them, rendering them useless.
Breaking the disks into pieces and disposing of them as normal waste is suitable for non-sensitive data. Some paper shredders also support destruction of disks in this manner - but check first before you use one for this purpose!
Alternatively, your organisation may employ specialist services for disposal of this media to ensure that no toxic substances are released into the environment.