Wanted: your data

Written by Russell Harris, BSIA Information Destruction Section ChairmanGoogle a few key words about information security and the public sector and you will find an alarming number of recent reports about the potential consequences of inadequate controls. They range from the theft of laptops containing confidential data, patients x-rays dumped for anyone to find, wholesale data losses and even the sale of a PC on e-Bay, complete with its files of medical records.
A common theme running through many of these reports is the lesson that information needs to be protected at every stage, and that includes the way it is disposed of. Failures of this kind are often unlawful as well as careless but prosecutions for breaches of the Data Protection Act generally take place only after the harm has been done. Good data security therefore must aim to anticipate and prevent problems before they occur.

Safe disposal
The secure disposal of confidential data is an essential element of this work. This extends beyond physical documents to information held on computers and storage devices. Simply deleting files is not an adequate response. Today’s computer criminals are highly skilled computer experts who know how to manipulate systems and recover deleted information in order to steal identities, conduct fraudulent transactions and even commit blackmail.
Crucially, the careless disposal of confidential data often allows them to do this without anyone knowing the information has been compromised.
The volume of crime that occurs in this way is unknown, although by some estimates up to 99 per cent of fraud in the public sector goes undetected and the same may be true of offences resulting from the improper disposal of data. Almost any kind of personal information is valuable to criminals, for example, patients’ records, financial reports, payroll information and personnel data.
The unlawful use of such information contributes to an explosion of identity theft crimes that are now estimated to cost almost £2 billion every year. Identity theft allows criminals to obtain goods, credit or services in someone else’s name. Offenders target both public and private sector providers, including the use of stolen identities to fraudulently obtain prescription medicines and state benefits.

The law, therefore, imposes legal obligations on any organisation that processes personal information, whether about employees, customers or members of the public. The Act essentially does two things: it tells organisations what types of information they may hold and how it must be safeguarded. It does so through key principles for data protection, including the need for data to be processed in line with the rights of the individual and kept secure.
The data must be accurate, updated where necessary and kept no longer than needed. These principles also include the use of effective means to prevent misuse by destroying personal information at the point of disposal.
Many infringements of the act relate to the way in which data is disposed of. The problem can only be overcome by treating all personal information in the same way as sensitive financial or medical records, by employing a professional information destruction service.
Despite the ready availability of this common sense solution, companies and organisations continue to be prosecuted for improper disposal. Many more escape prosecution because their carelessness is never discovered. It is known that only a small fraction of corporate waste paper and data processing products such as hard drives, CDs, memory sticks and DVDs are destroyed annually by professional firms.  
By far the majority of such material continues to be disposed of via municipal refuse collection or waste paper reprocessing. Neither method generally involves any kind of secure handling, yet it is inevitable that much confidential data is included in this general waste and therefore a major cause of avoidable risk. It is not surprising in these circumstances that the rubbish bin is a regular source of prosecutions under the Act, just as it has long been a core element of the private detective’s trade.

Meeting legal obligations
The law sets clear rules for the destruction of personal information. It should be carried out by a company that guarantees under contract that processing (destruction) is done securely and effectively. The organisation and its chosen information destruction contractor are then jointly liable for any breaches of the Act when dealing with personal or sensitive data. Liability extends to individual managers and data controllers, who could face personal fines up to £5,000 and the prospect of a criminal record.
Another possibility is civil action by a complainant, since anyone who suffers damage as a result of contraventions of the Act is entitled to compensation. Convicted organisations could also be subject to future spot checks to ensure compliance. Significantly, it is a defence to show that all reasonable care has been taken to comply and the BSIA’s Information Destruction Section was formed to enable organisations to meet their legal obligations.  
The section’s remit is to assure good practice by operating to the BS 8470 standard for the collection, transportation and destruction of confidential material and the quality management standard ISO 9001:2000. It defines the subject as the secure destruction of information in all its forms, including paper and computer media and hardware.
The section’s members collect confidential waste at source and provide a fully trackable service up to the point of destruction. The process consists of waste collection by secure transport, inspection, removal and destruction of rubbish, and the shredding, pulping and recycling or incineration of other material. Members of the Information Destruction Section provide free, no obligation advice to enable potential users to address their specific risks and requirements.

Please register to comment on this article