Privacy/Data Protection & Media Sanitization

HP takes its responsibility to protect its customers’ confidential information, in particular customer personal information, very seriously. Today, more and more personal information than ever before is being stored and processed on electronic devices and media. Consequently, the appropriate handling of sensitive data contained on data storage devices is a concern for many customers. Customers have a responsibility to ensure that their data is not compromised. HP is committed to assisting customers with the protection of their data, and with the prevention of unauthorized access to such data. HP has services available to assist its customers with the safeguarding of customer data. HP offers options for Disk Sanitization, such as the HP Disk Sanitizer for our SMB products, as well as HP’s Data Privacy Services. Additionally, customers may retain their defective drives by purchasing a Defective Media Retention (DMR) contract. Finally, HP systems increasingly have the option of using “self-encrypting drives” which can significantly increase the security of all data contained on the drive. Download – HP’s Media Sanitization Policy (pdf)

HP Data Privacy Services

Controlling personal data is not just a sound business practice; it’s becoming the law in many countries. HP recently announced a comprehensive suite of IT services that protect and manage sensitive data while helping reduce risk, improve life cycle data management, and manage compliance with new and existing federal regulatory requirements. HP is in a unique position to offer services that help customers manage and protect sensitive data, including the secure retention and sanitization of hardware components, active or retired, that may contain personal health information. Our corporate culture of respecting privacy is strong. HP has again been named as the top technology provider and #2 overall "most trusted company for privacy" by a leading vendor in privacy, Ponemon Institute. Our framework for privacy focuses on three ways to control data – retain, remove and recover. Our services help customers manage hardware components, active or retired, that contain data. More information can be found at www.hp.com/services/dataprivacy

HP Disk Sanitizer, External Edition

Deleted files aren't really wiped clean from your hard drive. Anyone with basic knowledge of data recovery can "undelete" them. When you are ready to recycle, reassign or trade in your desktop, ensure data is properly erased with HP Disk Sanitizer, External Edition. You may also be able to use this tool to sanitize a drive prior to replacement. This innovation permanently erases data using a U.S. Department of Defense Algorithm (DOD D5220 22-M Chapter 8), eliminating the need to purchase third-party software to erase files. Disk Sanitizer is free software available for download and will work on select HP business PCs. If you have specific regulatory requirements for data sanitization, please compare those requirements to the capabilities of the HP Disk Sanitizer External Edition. The HP DSEE is designed as a general purpose tool and may not meet specific regulatory requirements. Download - HP Disk Sanitizer, External Edition

US Regulatory Requirements

Customers with heightened data security or privacy concerns, particularly those with federal regulatory requirements (e.g. HIPAA/HITECH, Gramm Leach Bliley (GLB), etc.) and state regulatory requirements (e.g. the various state data breach laws), need to delete, encrypt, or sanitize sensitive data prior to returning defective media to HP. If such steps are not possible with respect to sensitive data, customers need to retain their defective storage media by either purchasing Defective Media Retention (DMR) service or by purchasing the replacement media. Download – HP’s Media Handling Policy for Healthcare Customers (pdf)

Canadian and Latin American Regulatory Requirements

Canada has a combination of Federal and Provincial Privacy laws. At the federal level, the Personal Information Protection and Electronics Act (PIPEDA) is applicable to all federally regulated businesses. Provincial laws also exist in three provinces, namely British Columbia, Alberta and Quebec. Additional laws related to the privacy of health information also exist within all provinces and territories. In Latin Americas, privacy laws exist in a number of countries and are being enacted in many more. Laws exist in Argentina, Uruguay and Mexico and are going through the legislative process in Chile, Paraguay, Brazil, Peru, Colombia, Costa Rica and Nicaragua. These privacy laws all require that personal information is protected and is only accessible by authorized individuals. Consequently, customers with personal information that originates in these countries need to delete, encrypt, or sanitize this personal information prior to returning defective media to HP. If such steps are not possible with respect to sensitive data, customers need to retain their defective storage media by either purchasing Defective Media Retention (DMR) service or by purchasing the replacement media. Download – HP’s Media Sanitization Policy (pdf)

Europe Middle East and Africa Region Regulatory Requirements

Much of the privacy and data protection legislation that exists globally today, with the notable exception of the United States, is based on the European Union (EU)1 Data Protection Directive on 1995. The laws in place in all 27 EU member states are based on this EU directive as are the laws in three other members of the European Economic Area (AAE)2 and Switzerland. In Eastern Europe, privacy laws exist in Russia and Azerbaijan. Similar privacy laws are now beginning to appear in some countries in the Middle East and Africa. Examples include Dubai, Israel, Morocco and Tunisia. These privacy laws all require that personal information is protected and is only accessible by authorized individuals. Consequently, customers with personal information that originates in these countries need to delete, encrypt, or sanitize this personal information prior to returning defective media to HP. If such steps are not possible with respect to sensitive data, customers need to retain their defective storage media by either purchasing Defective Media Retention (DMR) service or by purchasing the replacement media Download – HP’s Media Sanitization Policy (pdf) 1EU: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and UK) 2EEA: Iceland, Liechtenstein and Norway

Asia Pacific Region Regulatory Requirements

Several countries in this region have had privacy laws for many years. Countries with such well-established laws are Australia, Hong Kong, Japan and New Zealand. In the last few years the pace of enacting privacy laws across this region has picked up and privacy laws either exist or are close to being enacted in India, Malaysia, the Philippines, Singapore, South Korea and Taiwan. These privacy laws all require that personal information is protected and is only accessible by authorized individuals. Consequently, customers with personal information that originates in these countries need to delete, encrypt, or sanitize this personal information prior to returning defective media to HP. If such steps are not possible with respect to sensitive data, customers need to retain their defective storage media by either purchasing Defective Media Retention (DMR) service or by purchasing the replacement media. Download – HP’s Media Sanitization Policy (pdf)