Even after you have transferred the ownership of your IT equipment during the end of life cycle, you cannot completely transfer that responsibility of protecting the data held on those devices. Choosing a third party data processing who will share that responsibility is an important decision and one which should be given serious consideration, such as:
There is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.
In brief – what does the Data Protection Act say about information security?
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
be clear about who in your organisation is responsible for ensuring information security;
Make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and be ready to respond to any breach of security swiftly and effectively.