Keeping data out of the wrong hands

Written by Russell Harris, Chairman of the BSIA’s Information Destruction SectionThe secure removal of confidential data is a key element of securing any public sector organisation. This extends to both paper documents and information held on computers and storage devices where simply deleting files is not an adequate solution. The careless disposal of confidential data often allows criminals to steal identities and conduct fraudulent transactions without anyone knowing that the information has been compromised. Identify fraud is an issue that has become increasingly prevalent in recent years and can have a huge effect on businesses.
    
The volume of crime that occurs in this way is unknown, although by some estimates up to 99 per cent of fraud in the public sector goes undetected and the same may be true of offences resulting from the improper disposal of data. If confidential information is stolen from a business, the personal details of customers and suppliers can also be put at risk. Furthermore, businesses are running the risk of significant losses, not to mention the loss of reputation and client confidence if they are not taking preventative measures to protect their business’ confidential information during the disposal process.

Information is valuable
Almost any kind of personal information is valuable to criminals whether it be residents’ records, financial reports, payroll information and personnel data. The unlawful use of such information contributes to an explosion of identity theft crimes, which allows criminals to obtain goods, credit or services in someone else’s name. Offenders target both public and private sector providers, including the use of stolen identities to fraudulently obtain prescription medicines and state benefits. The consequences of identity fraud are potentially huge. In addition to the risks mentioned earlier, there is also the time and inconvenience involved in contacting the authorities and sorting out paperwork once a security breach has occurred.
    
Consequently, the law imposes legal obligations on any organisation that processes personal information, whether this relates to employees, customers or members of the public. The Data Protection Act essentially does two things. It tells organisations what types of information they may hold and how it must be safeguarded. It does this through key principles for data protection, including the need for data to be processed and kept securely. The data must be accurate, updated where necessary and kept no longer than needed. These principles also include the use of effective means to prevent misuse by destroying personal information at the point of disposal.

Proper disposal
Many infringements of the Act relate to the way in which data is disposed. The problem can only be overcome by treating all personal information in the same way as sensitive financial or medical records, by employing a professional information destruction service. Despite the stark realities behind identify theft and misuse of information, only a small fraction of the annual tonnage of paper waste and data processing products such as hard drives, CDs, memory sticks and DVDs, is destroyed by professional information destruction companies. By far the majority of such material continues to be disposed of via municipal refuse collection or waste paper reprocessing.
    
An example of this was when several banks and other financial institutions were reprimanded by the Office of the Information Commissioner for the disposing of customers’ personal information in bins outside their premises. An investigation found information such as details of a bank transfer for £500,000 outside a Nottingham bank and paying-in envelopes with customer names and phone numbers, sort codes and account numbers outside a bank in Manchester. Furthermore, an experiment carried out by IT consultancy Navigant Consulting revealed that second-hand PCs contain enough personal data to be a security threat to the previous owner. Data found on second-hand PCs included: names, addresses and photos; staff budgets and payroll schedules including names and salary details, bank account standing order payments and receipts.
    
Consequently, neither disposing of confidential information by refuse collection nor waste paper reprocessing generally involves any kind of secure handling, yet it is inevitable that much confidential data is included in this general waste and therefore a major cause of avoidable risk. With the law clear on this matter, public sector organisations are advised to use the services of properly qualified information destruction operators at professional companies that operate to industry standards in order to protect their confidential information. The secure distribution process can help to reduce losses through fraud of all types as well as ensuring that the reputation of a company or organisation remains untarnished.

An inside job

It has been known for fraud to be committed as an inside job by staff or ex-employees so confidential waste must therefore be placed in a lockable bin with a paper slot or a tamper-proof coded sack. Leaving shredding to individuals can compromise security as the document is not always thoroughly destroyed and can often be pieced together. An information destruction supplier should be able to provide sacks that cannot be tampered with and bins to match your office furniture that can only be accessed by key. To provide further protection, each collection and sack should contain a unique code so that customers can access a full audit trail of their paper once it has left the building.
    
To enhance customer confidence when using professional information destruction companies, the standards and operating practices surrounding the disposal of confidential information were improved just last year. This included the publication of a new European Standard, EN 15713:2009, which was initially written as a code of practice for BSIA member companies and was then developed into a British standard before being made a European standard.
    
EN 15713:2009 describes the essential requirements and operating procedures for a professional information destruction company, including employment practices such as the security vetting of all staff members and details relating to the security of its premises by means of monitored intruder alarms and CCTV systems. Specific rules are set down for the actual destruction of data, incorporating material-specific shred sizes, and requirements for the security of vehicles used both for the collection and on-site destruction of confidential waste. As well as helping to ensure the highest standards, EN 15713:2009 provides a valuable new benchmark to assist users in choosing a provider. All BSIA information destruction section members are inspected to the new standard as part of the audit procedure for their obligatory ISO 9001:2008 accreditation.

National Occupational Standards

Another significant development in the sector has been the publication of new National Occupational Standards (NOS), which define the level of competence needed to work in information destruction and increase professionalism. The BSIA worked closely with Skills for Security in developing the new standards, which all member companies are being urged to incorporate into their training practices. It is anticipated that in future the NOS could lead to a formal industry-recognised qualification in the field. The publication encompasses all key activities undertaken within the sector, as well as situations employees are likely to encounter in their day-to-day work. It covers a comprehensive range of topics, from customer service to risk assessment, the use of IT, vehicle load security, vehicle and equipment safety and even good driving techniques. As such, it is seen as an indispensable tool for creating and maintaining a highly skilled workforce and providing benchmarks for good practice across the UK.
    
The NOS goes into considerable detail in specifying standards of occupational competence for the sector. It deals with all aspects of the operation, including collecting consignments of confidential material, complying with proof of collection requirements and maintaining security during the loading and transportation process. The use of documentation to meet audit trail requirements and comply with relevant legislation is covered in detail, encompassing the use of waste transfer, pre-treatment, collection and delivery notes, vehicle check sheets and certificates of destruction. It goes on to describe performance criteria and essential knowledge for the destruction of data, incorporating the use and maintenance of mobile and on-site equipment. A separate section is devoted to providing a quality service when carrying out information destruction operations, including communicating effectively with customers and colleagues, and identifying ways to improve performance.
    
The BSIA has encouraged all companies operating in secure waste disposal to embrace the NOS, which has clear benefits in terms of creating a highly qualified workforce and raising standards across the industry as a whole.
    
With these standards in place, the quality of information destruction will only be enhanced. Using an information destruction company is a safe and effective method of disposing confidential data, which is compulsory for public sector organisations in order to protect their staff, customers and reputation.

For more information
For more information about the BSIA’s work in information destruction, visit www.bsia.co.uk/shredding

For more information about the NOS, visit www.ukstandards.org.uk

Please register to comment on this article