Customer Misconception: The Certificate of Destruction Removes Regulatory Liability – Selling Information Disposition by the Book (vol. 7)
May 30, 2018
By Bob Johnson
It is understandable that data controllers would be comforted by believing that once they have a certificate of destruction from the service provider, they are no longer responsible for the security of the information. Unfortunately, there are still service providers that try to capitalize on that misconception. At its worst, this position is seen when a client says something like, “I don’t care about their security, I have a certificate of destruction, and so, if it turns up, it will be the service provider’s problem.” Of course, that is far from
the truth. The truth is that if records turn up, the client will have to answer for the selection of that service provider. The client will also be responsible for all the regulatory damages that result. In other words, the certificate of destruction does not transfer any regulatory responsibility from the client to the service provider.
Information Disposition stresses throughout that the only way to transfer regulatory responsibility is through proper due diligence and contractual language, and even then the transfer is only partial and tenuous at best. It also, however, contains clear language to dispel any misconception that a certificate of destruction is of any value in that regard and that reliance on it alone is a very dangerous practice.
On page 69 in Chapter 3: Records and Information Management Principles:
Data controllers sometimes also mistakenly view the certificate of destruction (CoD) as transferring liability for destruction to a service provider; the thought being that a CoD issued by the service provider makes them responsible for any damage should the information surface. This is a dangerous misconception. Obviously, the previous discussion on the difficulty associated with establishing proof plays into this discussion. For example, if one cannot prove that an item was in the batch or that it was the only copy, holding the service provider accountable is problematic. While this is true, the more significant reason the CoD is not capable of transferring liability is because regulations do not allow for it.
Of course, the statement above builds on the point that data cannot transfer regulatory responsibility to the service provider, which is documented in Chapter 1: Data Protection Regulations.