In 1997 a hospital in an eastern province of Finland was embroiled in a data scandal.
The hospital had sold some of its old computer equipment without thoroughly wiping the hard drives, and personal details of some 3,000 heart patients were leaked into the public domain.
The incident – though small by today’s standards of data loss – played out in the Finnish press, and inspired two local entrepreneurs to set up a company that helps businesses delete electronic data simply and efficiently.
Sixteen years later the company, Blancco, is still growing and is busier than ever in scrubbing data. But hospitals appear to have learnt very little. Only last June, an NHS trust was fined £325,000 by the UK’s data protection watchdog for leaking tens of thousands of sensitive patient records when it disposed of old computer equipment, some of which ended up on sale on eBay, the online auction site.
Kim Vaisanen, co-founder and chief executive of Blancco, says the issue of proper deletion is becoming more urgent, thanks to the arrival of cloud computing and new legislation from the EU.
But deleting data is harder than it sounds. “In 1997 my email, for example, was just on one machine in our office,” he says. “Now it is on my work machine, my mobile, home PC, iPad, and iPod. When you want to delete it, the problem is how to verify that it has been deleted everywhere?”
Mr Vaisanen says what Blancco provides is not so much a deletion but an audit service. The actual wiping of data is quick – an hour for a laptop, half an hour for a mobile device. The difficulty is meticulous documentation that the information has been purged everywhere.
“Our clients don’t pay us for the deletion – they pay us for the verification,” Mr Vaisanen says.
With cloud computing, data deletion becomes less about individual companies cleaning hard d ives before selling off their computer equipment. A company’s data now sits on servers in a distant warehouse.
But even if it is a cloud services provider such as Amazon now doing the actual deleting for them – often with tools from companies such as Blancco – businesses are still responsible for ensuring that their customers’ data are expunged properly when they need it to be.
To make matters more urgent, from 2014 the EU is expected to bring in new data protection legislation which will give individuals the right to ask companies to delete their personal data, and will require companies to disclose data breaches within 24 hours. It will also empower data protection authorities to fine companies up to 2 per cent of global annual turnover if they fail to protect data.
The so-called “right to be forgotten” is the one technologists are particularly worried about. John Rose, senior partner and managing director of the Boston Consulting Group, says that organisations might struggle to delete customer records that are a part of their core operational information.
“You might have straightforward details, like a Sainsbury’s loyalty profile that can be deleted, but you can’t delete customer records that are related to paying taxes and managing a company profit and loss account,” he says.
“I am not sure how many organisations will be able to execute deletions in the context of the infrastructure they have now, and at a cost that is manageable.”
He points out that, in the era of the cloud, European companies may well be dealing with data sitting in server farms in Australia or the US, for example, – countries that have different regulations on data and its deletion.
Peter Bauer, chief executive of Mimecast, which helps large companies manage their email storage and archiving, says that deleting individual records on request could prove difficult for companies.
“The right to be forgotten sounds good but in practical terms how do you go into a vast store of data and delete them in a granular way without damaging other data?” he asks.
“A significant corporate archive with petabytes [a petabyte is 1,000 terabytes] doesn’t work like an email file where you can delete things individually. It might not be in a format that can be edited.”
With information more likely to be held in a series of emails, or a recording of a phone call rather than in a structured database, it has become much harder to ensure complete deletion, Mr Bauer says. “Personal data are not usually sitting in one place. It can be in lots of documents, in email trails – it is jumbled up.”
Company data may also be held in a number of employees’ personal cloud folders such as Box.net and Dropbox, and organisations may have little control over what is being sent there unless they have agreements in place with employees to allow them to monitor this traffic.
Mr Bauer and Mr Rose are both so pessimistic about the feasibility of complete deletion that they question whether the new EU rules can be implemented.
“Companies are losing control of where there unstructured data are,” Mr Bauer says. And if they don’t even know where it is, they will not be able to delete it.