Data security and the risk of identity theft

The secure disposal of confidential data is an essential element of securing any public sector organisation. This extends to both paper documents and to information held on computers and storage devices where simply deleting files is not an adequate response. The careless disposal of confidential data often allows criminals to steal identities and conduct fraudulent transactions without anyone knowing the information has been compromised. The volume of crime that occurs in this way is unknown, although by some estimates up to 99 per cent of fraud in the public sector goes undetected and the same may be true of offences resulting from the improper disposal of data.
    
Almost any kind of personal information is valuable to criminals, for example, residents’ records, financial reports, payroll information and personnel data. The unlawful use of such information contributes to an explosion of identity theft crimes that are now estimated to cost almost £2 billion every year. Identity theft allows criminals to obtain goods, credit or services in someone else’s name. Offenders target both public and private sector providers, including the use of stolen identities to fraudulently obtain prescription medicines and state benefits.

Data Protection Act

The law therefore imposes legal obligations on any organisation that processes personal information, whether about employees, customers, or members of the public. The Data Protection Act essentially does two things: it tells organisations what types of information they may hold and how it must be safeguarded. It does so through key principles for data protection, including the need for data to be processed and kept securely. The data must be accurate, updated where necessary and kept no longer than needed. These principles also include the use of effective means to prevent misuse by destroying personal information at the point of disposal.
    
Many infringements of the act relate to the way in which data is disposed of. The problem can only be overcome by treating all personal information in the same way as sensitive financial or medical records, by employing a professional information destruction service.
    
Despite the ready availability of this common sense solution, companies and organisations continue to be prosecuted for improper disposal. It is known that only a small fraction of corporate waste paper and data processing products such as hard drives, CDs, memory sticks and DVDs are destroyed annually by professional firms. By far the majority of such material continues to be disposed of via municipal refuse collection or waste paper reprocessing. Neither method generally involves any kind of secure handling, yet it is inevitable that much confidential data is included in this general waste and therefore a major cause of avoidable risk.

European standard
With the law clear on this matter, public sector organisations are advised to use the services of a professional information destruction company in order to protect their confidential information. It is particularly important that such a company complies with and is inspected to a new European standard for the area of information destruction – EN 15713:2009. The new standard covers the following areas: material specific shred sizes; requirements regarding the installation of a monitored intruder alarm and a monitored CCTV system; a prerequisite for the security vetting of all staff; and obligations with regard to the security of collection vehicles and on-site destruction vehicles.
    
The new European standard supersedes the old British standard (BS 8470) and outlines the key requirements of a professional information destruction company. Only by using an information destruction company that is inspected to the new standard, will customers be able to rest assured that their confidential material is in safe hands. The BSIA has been at the forefront of developing the standard and as such, BSIA members will be amongst the first to work to it.
    
It is hoped that the development of this new standard will provide further reassurance to customers that by using a member of the BSIA, they are placing their confidential data into the hands of a professional company. All BSIA information destruction section members must hold ISO 9001:2008 accreditation, and will then be inspected to the new standard EN 15713:2009 as part of their ISO accreditation audit procedure.
    
The BSIA has also published a Security Waste Audit to help with the process of assessing whether your information is being disposed of securely and is available to download at www.bsia.co.uk/shredding.

The British Security Industry Association is the trade association covering all aspects of the professional security industry in the UK. Its members provide over 70 per cent of UK security products and services and adhere to strict quality standards.

For more information
See www.bsia.co.uk, e-mail info@bsia.co.uk or telephone 0845 389 3889.

Please register to comment on this article