follow Personal Data Protection Act BE 2562 Section 37(3) states that Personal Data ControllerIt has a duty to provide an audit system for the deletion or destruction of personal data after the retention period has ended.
or is not related to or beyond what is necessary for the purpose of collecting that personal data or in accordance with the request of the data subject or when the owner of the personal data has withdrawn his consent unless there are legal exceptions.
Personal Data Protection Act There is no specific method of data destruction. but gave the power to the Personal Data Protection Committee that it can publish rules for erasing or destroying or making personal information unidentifiable to the person who owns the personal information (Not published at this time)
that the data is not destroyed But it was published or leaked outside the organisation. inevitably causes that information to lose its confidentiality (breach of confidentiality)
In the case of throwing away documents without destroying them properly A case study came to light in 2015 when the Attorney General of Indiana United States It is alleged that a dentist left more than 60 boxes of patient records in the trash.
Such actions violate state and federal privacy laws. In this case, the dentist pleaded guilty to the charges against prosecutors and was fined $12,000.
Therefore, when considering the duty to delete or destroy data in the context of data management, organizations can take the following steps to reduce the risk of illegal activities.
1) When organizations no longer need personal data and when there is no need to archive data, it should be securely destroyed. Personal data should not be destroyed without the signature of a person or body of persons whose duties the organization trusts.
2) There is a record of destruction which should include information about what was destroyed when it was destroyed and the person authorized to do the destruction work (including outsourcing to external organisations)
3) In the case of personal data stored in a storage medium The storage medium should be destroyed with a level of security corresponding to its data layer and sensitivity.
4) Paper containing personal information should be disposed of in a secure confidential bin. (opaque/covered) and all electronically stored documents and backup data should be deleted. Deletion should be carried out by someone with appropriate access to the system. Digital documents should be deleted and not overwritten.
5) When the original data is destroyed All copies of the data should be destroyed immediately. Data is not considered to be completely destroyed unless all copies are also destroyed.
In terms of how to destroy all types of storage media the organization can consider the following methods:
1. Information on paper or in printed form An internal shredder can be used. or use a document destruction service from an external organisation
2. Digitally recorded information To perform deletion The organization should be aware that such information may be copied in the system. So data may not actually be deleted even after the deletion is done.
In case you want to delete the data permanently The data must no longer be available and no one else can access or use the data once it is deleted. When data is deleted and put in the trash (recycle bin), the system usually keeps the data for a period of time.
Organizations that want to delete this type of data can be operated by
2.1 Use software that securely deletes data. (secure erase software) This software helps to erase data securely.
2.2 Using experienced IT consultants
Organizations can also adopt international standards for erasure or destruction of data as a guide for destroying data on various storage media, such as NIST SP 800-88 Guidelines for Media Sanitation.
is a process that makes it impossible to access target data on a recording medium for a given level of effort.
The method an organization chooses to destroy depends on the level of confidentiality of that information. (confidentiality level) by deciding on the destruction method to be considered
1) Categories of information according to level of confidentiality and access requirements.
2) Evaluate the characteristics of storage media
3) Weighing the confidentiality risks a
4) Decide how the media will be used in the future (ie will it be reused within the organisation? Donate, shred, or make it unusable?)
NIST SP 800-88 provides guidance on the roles and responsibilities of individuals in the organizations concerned. Decision-making processes include techniques and methods for erasing data in different types of storage media, such as overwriting, overwriting or shredding, among others.
Another important consideration when using data destruction contractors is the ability of the organization to give third parties access to corporate personal data. to carry out data destruction operations on behalf of the organization Normally, the duty to destroy such personal data belongs to the organization as the personal data controller.
In this case, creating a personal data processing agreement is one of the areas that the organization must consider. And the choice of enterprise data destruction contractors must be careful. In order to prevent data leaks that could be caused by the actions of the contractor as well In addition, the contractor must be able to check and verify that the data has indeed been deleted.
Source: Personal Data Protection Act, BE 2562, Section 37(3) and Section 33
refer
1. ICO Retention and Disposal Policy V.8 (2022), https://ico.org.uk/media/4018504/retention-and-disposal-policy.pdf
2. Retention and destruction of information, https://ico.org.uk/for-organisations/guidance-index/freedom-of-information-and-environmental-information-regulations/retention-and-destruction-of-information/
3. NIST SP 800-88 Guidelines for Media Sanitation
4. Ex Kokomo dentist to pay $12,000 over discarded record, https://www.indystar.com/story/news/crime/2015/01/10/ex-kokomo-dentist-pay-discarded-records/21554347/
Technology, Law and Security Column
Thienchai Na Nakorn
Chair of the Personal Data Protection Committee
Supawat Malanon
King Mongkut Thonburi University of Technology
