Data Security Policy and Procedure

1  Purpose

This policy and its annexes outline REPC Ltd’s commitment to securing, protecting and efficiently data-wiping/destroying customer equipment and any data it may contain.

2  Introduction 

Digital media and tape are widely used by many companies and organisations to collect and store data. When equipment comes to its end of life or is being replaced and updated with the prospect of being recycled for reuse, it is imperative that any confidential data and or sensitive information stored on the equipment is securely and efficiently destroyed in line with the provisions of the Data Protection Act. 

REPC Ltd is committed to collecting and securely transporting, data wiping, destroying and issuing Environment Agency compliant certification for magnetic media and data destruction.

Types of Equipment containing data processed by REPC includes but is not limited to:

  • Office Equipment (Laptops, PC’s, Cameras, Printers, Scanners)
  • Servers and Data Centre Items (Servers, Routers, Switches)
  • Single Purpose Media (DVD’s, CD’s, BluRay discs)
  • Hard Disk Drives
  • Other Magnetic Media Technologies (Floppy Disks, Cassettes)
  • Solid State Drives (SSD) and Hybrid Drives (HDD+SSD)
  • Other Flash Media (USB Thumb Drives, SD/microSD Cards)
  • Smartphones, Tablets and Notebooks

3  Collection and Security

All equipment collected use REPC registered vehicles and DBS security checked staff only and an asset collection register is agreed and signed by customers on collection.

During transit all collected equipment is kept secured and supervised at all times and unauthorised stops are permitted.

REPC immediately audits all equipment once on site to ensure all items are accounted for and match the collection register. Any equipment containing data is then stored securely in locked security cages prior to data wiping/destruction.

REPC have 24 hour recorded CCTV across its site including all loading areas and access to the site and storage facility is restricted.

4  Data Wiping/Destruction

REPC offer our customers a range of packages for secure data wiping and use recognized industry standard CESG compliant data erasure methods as part of the decommissioning process. For more info: –

Where a data containing device is faulty and cannot be erased or is deemed end-of-life, it is physically destroyed on-site to recognized industry standards.

REPC promptly undertakes the data destruction process to ensure client’s data is only onsite for a limited period and aims to complete the process within 10 working days of collection (subject to quantities and data erasure methods). During this time all devices containing data are kept in locked security cages. Unauthorised personnel or visitors do not have access to the data wiping suite or security cages.

5  Data Security Incident/Threat

In the unlikely event that REPC data security procedures are not implemented, or an incident/breach is identified which compromises the security of data or information of REPC or data/information held by REPC on behalf of our clients or customers. REPC will respond immediately in line with the following Procedure

5.1  Emergency Incident Procedure

In the event of an emergency incident or security breach it is the responsibility of all REPC staff, sub-contractors and agents acting on behalf of REPC Ltd to comply with REPC’s emergency incident procedure, reporting any incident, threat of an incident or an incident that almost happened, but, was averted to the designated manager as soon as is safely possible:

  • Members of staff discovering the incident/threat/breach must report it immediately to a member of REPC’s senior management team and complete the incident report register.
  • If the incident occurs off site or during transit, contact must be made with a member of the senior management team via telephone immediately (ensuring it is safe to make a call, do not use the phone while driving).
  • Affected Operations/Activity should be halted until it is deemed safe to restart.
  • An investigation into how the incident, threat occurred shall be undertaken by a designated manager.
  • An action plan including communications with any customers or stakeholders affected by the breach should be produced and implementation commenced within 48 hours or as soon as is practically possible.
  • A non-compliance incident report must be completed in the non-compliance register.
  • Once the designated director is satisfied that the incident has been correctly categorised, resolved or there is a plan and controls in place to resolve it and the emergency/security breach or threat is removed, authorisation from the designated manager must be provided before affected operations can be reinstated.
  • All incidents/emergencies/security breaches must be reported to REPC’s management team and added to relevant risk assessments as appropriate.

5.2  Summary of Security Breach/Threat Incident Procedure

  • Security Breach/Threat Identified
  • Halt operations
  • Reported to designated manager
  • Notify Emergency Incident Co-ordinator (EIC)
  • Initial assessment undertaken by EIC
  • Contain the damage and minimize the risk
  • Convene Incident Management Team
  • Identify the type and severity of the compromise.
  • Incident Recovery Plan produced
  • Recommendations made to EIMT
  • Notify external agencies if appropriate
  • Formally record and add to non-compliance register
  • Restart processes when safe to do so
  • Assess incident damage and cost.
  • Review the recovery plan, update policies and train staff.

6  Applicable to

This Policy & accompanying procedures must be followed at all times by REPC Ltd staff, volunteers and Sub-contractors or agents acting on behalf of REPC Ltd when collecting, transporting, receiving, storing and processing equipment to and from and on REPC Ltd premises.

7  Compliance

  • All relevant company policies and procedures, including Health and Safety, Privacy, Quality and Environmental must also be followed taking care not to cause injury or endanger you or other REPC staff and agents.
  • At all times staff must ensure that all equipment and any data it may contain is treated and handled carefully and securely in line with the policy and procedures outlined in this document and where appropriate in full view of the CCTV cameras.
  • In no circumstances should equipment or data be removed from the workshop once booked in, or taken out of the view of the CCTV cameras erected in the ground and 1st floor workshops or be left unattended.
  • Failure to comply with this policy and related procedures may result in disciplinary action