Data Sanitization Regulations

Data sanitization policies, procedures and requirements are mentioned (or alluded to) in many data protection and privacy regulations and guidelines. Use the drop-downs below to see specific instructions from each directive, as well as clarifications in everyday language.

EU General Data Protection Regulation (EU GDPR)
RequirementData Sanitization Clarification
Article 1, Section 17: Right to erasure (‘right to be forgotten’)
1. “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
  3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  4. the personal data have been unlawfully processed;
  5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).”
Be able to provide proof of erasure for eventual audits by the Data Protection Supervisor. Have them accessible and tied to the requests for erasure from data subjects.
Article 13: Information to the Data Subject
1. “Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

  1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  2. the contact details of the data protection officer, where applicable;
  3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  4. where the processing is based on point… the legitimate interests pursued by the controller or by a third party;
  5. the recipients or categories of recipients of the personal data, if any;
  6. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers…reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

2. ..[T]he controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

  1. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  2. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  3. where the processing is based on point…the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal […]

3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information […].”

When the purpose for which data is collected expires, ensure the data location is tracked and available for erasure. Keep tamper-proof records of compliance with this requirement.
39
“…Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.

In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted.”

Inaccurate data, if not corrected, should be securely erased, and a tamper-proof (digitally signed) record must kept.
Chapter 3, Section 3, Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
“The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17(1) and 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.”
Provide a certificate of erasure to the data subject, a tamper-proof digitally signed document.
Chapter 1, Section 5, Article 25: Data protection by design and by default
1. “[…] the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organi[z]ational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimi[z]ation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2. The controller shall implement appropriate technical and organi[z]ational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”

By “design and by default” implies processes throughout the lifecycle of the data. Be able to demonstrate that end-of-life of data is planned for and procedures are in place to securely erase the data.
Article 30: Records of Processing Activities
1. “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

  1. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  2. the purposes of the processing;
  3. a description of the categories of data subjects and of the categories of personal data;
  4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  5. where possible, the envisaged time limits for erasure of the different categories of data […]”
Add the data controller’s contact details to the certified erasure reports.
HIPAA Security Rule - Subpart C
RequirementData Sanitization Clarification
§ 164.306 Security standards: General rules.
(B) Risk management (Required).
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

(D) Information system activity review (Required).
Implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.

Track data erasure events.
§ 164.308 Administrative safeguards.
((1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain and correct security violations.
Data sanitization should be incorporated in overall security management policies.
164.314 Organizational requirements.
(i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will— (A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart.
Ensure that third parties have data sanitization policies in place and the technology and processes to fulfill them.
§ 164.314 Organizational requirements.
(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan
Safeguards should include data sanitization methods for end-of-life and temporary usage of health records.
§ 164.316 Policies and procedures
(i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
Limit liability by ensuring proper data sanitization at the end of the required retention period (6 years.) Record all data sanitization events.
HIPAA Security Rule - Subpart D
RequirementData Sanitization Clarification
§ 164.504 Uses and disclosures: Organizational requirements.
(ii) Provide that the business associate will:

(I) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the
information infeasible.

Use proper data sanitization methods to destroy all protected data. Provide a tamper proof record of destruction to demonstrate compliance.
§ 164.504 Uses and disclosures: Organizational requirements.
(I) If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction.
Use proper data sanitization methods to destroy all protected data. Provide a tamper-proof record of destruction to demonstrate compliance.
PCI DSS V3.2
RequirementData Sanitization Clarification
3.1
Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:

  • Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements
  • Specific retention requirements for cardholder data
  • Processes for secure deletion of data when no longer needed
  • A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention
Link data retention periods to data sanitization processes.Use proper data sanitization methods to destroy all card holder data. Provide a tampe- proof record of destruction to demonstrate compliance.
3.2
Do not store sensitive authentication data after authorization (even if encrypted).

If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.

It is permissible for issuers and companies that support issuing services to store sensitive authentication data if:

  • There is a business justification and
  • The data is stored securely
Apply data sanitization methods to all card holder records as soon as authorization is complete.
9.8.2
Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.
Use secure overwrite to ensure cardholder data cannot be forensically recovered.
10.7
Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived or restorable from backup)
Store all tamper-proof records of erasure in an easily retrievable format.
Sarbanes Oxley
RequirementData Sanitization Clarification
§ 1520. Destruction of corporate audit records, requires audit records, notes, etc. to be kept for at least five years.Limit liability and discovery expenses by applying data destruction to records after the required retention period (5 years).
Saudi Arabian Monetary Authority (SAMA)
RequirementData Sanitization Clarification
“Information assets should be disposed in accordance with legal and regulatory requirements, when no longer required (i.e. meeting data privacy regulations to avoid unauthorized access and avoid (un)intended data leakage).”Data sanitization should be applied to both media, at the end of its useful life, and records.
“Sensitive information should be destroyed using techniques to make the information non-retrievable (e.g., secure erase, secure wiping, incineration, double crosscut, shredding).”Use appropriate data sanitization methods with full records of destruction.
“The Member Organization should ensure that third party service providers used for secure disposal, transport and storage comply with the secure disposal standard and procedure and the effectiveness is periodically measured and evaluated.”Data sanitization should be applied to media at the end of its useful life, as well as to records.
New York State Cybersecurity Requirements of Financial Services Companies 23 NYCRR 500
RequirementData Sanitization Clarification
Section 500.13 Limitations on Data Retention.
As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in section 500.01(g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
Demonstrate compliance by creating and enforcing a data sanitization policy.
Philippines Data Privacy Act 2012
RequirementData Sanitization Clarification
Chapter VIII SEC. 27. Improper Disposal of Personal Information and Sensitive Personal Information.

  1. The improper disposal of personal information shall be penalized by imprisonment ranging from six (6) months to two (2) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than Five hundred thousand pesos (Php500,000.00) shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
  2. The improper disposal of sensitive personal information shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
Avoid penalties by implementing a data sanitization policy which identifies personal information, its purpose for collection and its entire lifecycle up to final destruction.
Chap IV Rights of the Data Subject.
e) Suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this case, the personal information controller may notify third parties who have previously received such processed personal information;
Be able to provide proof of erasure for eventual audits by data protection regulators. Have them accessible and tied to the requests for erasure from data subjects.
Singapore Personal Data Protection Act 2012
RequirementData Sanitization Clarification
Part VI Retention of personal data
25. An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that —

  1. the purpose for which that personal data was collected is no longer being served by retention of the personal data; and
  2. retention is no longer necessary for legal or business purposes.
Be able to provide proof of erasure for eventual audits by the Data Protection Supervisor. Have them accessible and tied to the requests for erasure from data subjects.
R2:2013
RequirementData Sanitization Clarification
1. Tested and Full Functions, R2/Ready for Reuse
(A) “Use effective test methods to confirm that all functions for equipment and components are working properly and ready for reuse, including properly configured with appropriate legally licensed software where required for operation of equipment and components, and device specific drivers within the product’s hardware…
When a device is not reusable, ensure that the data on it is destroyed effectively and the actions recorded.
“Data Destruction General Principle – An R2:2013 electronics recycler shall be responsible for data destruction of all media it handles using generally-accepted data destruction procedures.”To limit liability go beyond “generally accepted” to state of the art data sanitization technology and procedures.
(b) “An R2:2013 electronics recycler shall document its data destruction procedures and include this documentation as part of its EHSMS.”In addition to documenting a data sanitization procedure provide audible reports of erasure or destruction.
ISO 27000
RequirementData Sanitization Clarification
A.11.2 Equipment
A.11.2.7 Secure Disposal or Reuse of Equipment Control

All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
Apply data sanitization methods to all devices regardless of information on them.
Gramm–Leach–Bliley Act (GLBA)
RequirementData Sanitization Clarification
Article 682.3 – Proper disposal of consumer information- states that “Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” In this instance, “disposal” refers to the “discarding or abandonment of consumer information” or “The sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.”

The article also states that “Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal include… implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.”

“Reasonable” should be interpreted as full data sanitization, and records should be kept in an auditable format.
NERC-CIP
RequirementData Sanitization Clarification
“prevent unauthorized retrieval of data from a cyber asset prior to discarding it or redeploying it.”“Clarification of this requirement has been requested. The SDT has proposed that preventing unauthorized retrieval of data means to “render the data unrecoverable.”

In other words, full data sanitization measures are called for.

Japan Personal Information Protection Act (the “PIPA” Act. No 57 of 2003)
RequirementData Sanitization Clarification
Article 27: Discontinuance of the Utilization, etc.
1. Where a business operator handling personal information is requested by a person to discontinue using or to erase such retained personal data as may lead to the identification of the person on the ground that the retained personal data is being handled in violation of Article 16 or has been acquired in violation of Article 17, and where it is found that the request has a reason, the business operator shall discontinue using or erase the retained personal data concerned withoutdelay to the extent necessary for redressing the violation.
Ensure that a process is in place to:

  1. respond to requests for erasure
  2. apply full data sanitization and
  3. create and provide a record of data sanitization.
Article 27 (3) Requirement for notificationCreate a data sanitization report and provide it to the requesting data subject. Retain for audit.