What happens when the life cycle of a digital device comes to an end? What should be done with the documentation on physical support after its conservation period?
How can we share documents with sensitive or confidential information with third parties who need to see part of the content? The answer to these questions is found in “sanitization”. This article will explain what information sanitization is and how we should carry it out.
What is data sanitization?
The sanitization of information, also called disinfection, is the process by which confidential or sensitive information is censored or eliminated from a physical or digital medium, being able to respond to different objectives, such as the partial declassification of documentation, the reuse of a device or the destruction of the support in which the information is found.
Also Read: How to View Saved Passwords in Chrome
Therefore, we speak of sanitizing information when we need to give access to certain documents that may contain sensitive or confidential information or comply with regulations such as data protection. We censor those parts that third parties who will access said information do not authorize to know.
For example, when court rulings are published, the personal data relating to the parties appear redacted (censored) to preserve the identity and privacy of individuals. Here we will be talking about sanitizing personal data.
On the other hand, we also talk about information sanitization, when you must delete files and documentation stored on digital devices, such as computers, hard drives, USB memories, etc.
In this case, the sanitization of data and information goes beyond deletion since it must ensure, in a reliable and verifiable manner, that the data and information contained in the devices have been eliminated and must destroy the device, which has been done in compliance with the corresponding standards.
The sanitization of information on digital devices can be carried out when the proper life cycle of these devices ends or when they go to another person or are going to be reused in some way or sold.
The sanitization of information also covers, as we have said, the information in physical support that must be destroyed. The same thing happens with digital devices; this documentation must be destroyed.
In any case, the final objective of information sanitization is to make it impossible to recover the information in the destroyed or edited physical or digital media.
How is data sanitization carried out?
The data and information sanitization process vary depending on the support in which it is located and if what is pursued is the destruction of these devices, the elimination of specific files they may contain. Still, without destroying the support, the destruction of documents or only certain parts need to be edited.
In electronic media
In electronic or digital media, sanitization consists of carrying out a logical and physical procedure through which the information is eliminated; that is, files are deleted, and, if necessary, the destruction of the data is. Own device.
The logical process consists of carrying out a secure erasure of the entire device or of the information that you want to sanitize.
This deletion consists of the application of computer techniques that delete and overwrite the data several times to make it impossible to recover the deleted information (must take into account that a simple deletion, such as the one a user performs on his computer, may not be enough, because the information may still be recoverable using specific tools and programs).
The physical process is destroying the device, for which different methods and tools depend on the type of device to be destroyed. Other international standards indicate the most appropriate means of destruction.
In physical media
For information on physical supports, that is, on paper, sanitization will be carried out by destroying it, either using paper shredders or burning it (the shredder is more recommended because it is safer).
As with the destruction of digital devices, information security standards also establish how should destroy documents based on the data they may contain (such as the size of the resulting particles).
If you only want to edit part of the content, you can use specific software to redact texts (redact in the sense of censoring certain features). For companies that need to sanitize large volumes of documentation, there is software that automates this process.
Why should a company sanitize the confidential information it handles?
There are several reasons why information sanitization should be resorted to, some of which we have already cited throughout the article.
In the first place, it is a matter of regulatory compliance; laws such as data protection require the privacy of personal data handled in a company to be guaranteed and, therefore, it is necessary to sanitize all those documents or digital media that may contain personal data, either because must delete them once their purpose has been fulfilled or so has been requested by an interested party, or because these documents need to be shared with third parties. We have to protect (censoring) that data.
It is also necessary to sanitize the documentation containing confidential information related to the company (procedures, contracts, intellectual property…) that must be shared with other company members not authorized to know said information or with external third parties.
On the other hand, about the two previous paragraphs, if digital devices (computers, tablets, USB sticks…) are going to be reused, sold or destroyed, sanitizing them is vital, mainly if they contain confidential information at some point or sensitive since if it is not done correctly, this or part of it could be exposed.
In addition, we must bear in mind that in terms of data protection, not correctly destroying the documents or media that may contain personal data can be grounds for sanction (as some judgment has already proven, it is not enough to throw the papers in the trash, must destroy them correctly and in such a way that cannot recover the information cannot recover the data).