Avoiding the pitfalls of data destruction

With the public sector facing the deepest budget cuts in 25 years, security is often one area of expenditure where organisations look to make immediate savings. However, with large quantities of personal data to protect and the information commissioner imposing increasing fines for data loss, information security is one area where local government can’t afford to cut back.
Generally speaking, public sector organisations hold large quantities of confidential data, making them vulnerable to data breaches. By taking simple steps internally, organisations can reduce the risk of data breaches occurring. Measures include ensuring all unwanted documents, CDs and DVDs are being properly shredded, wiping clean the information held on old computers before disposing of them and regularly changing network as well as PC passwords. However, leaving shredding to individuals can compromise security as the document is not always thoroughly destroyed and can often be pieced together. Therefore, employing a professional data destruction company will ensure legal compliance and the highest standard of service, giving organisations the peace of mind that the interests of their clients, staff or patients are protected.
Public sector fraud
Identify fraud is an issue that has become increasingly prevalent in recent years and can have a huge effect on businesses. The volume of crime that occurs in this way is unknown, although by some estimates up to 99 per cent of fraud in the public sector goes undetected and the same may be true of offences resulting from the improper disposal of data.
If confidential information is stolen from a business, the personal details of customers and suppliers can also be put at risk. Furthermore, businesses are running the risk of significant losses, not to mention the loss of reputation and client confidence if they are not taking preventative measures to protect their business’ confidential information during the disposal process. Almost any kind of personal information is valuable to criminals whether it be residents’ records, financial reports, payroll information and personnel data. The unlawful use of such information has contributed to an explosion of identity theft crimes, which allows criminals to obtain goods, credit or services in someone else’s name. Offenders target both public and private sector providers, including the use of stolen identities to fraudulently obtain prescription medicines and state benefits.
Information security and the law
The law, under the Data Protection Act, imposes legal obligations on any organisation that processes personal information, whether this relates to employees, customers or members of the public. The Data Protection Act essentially does two things. It tells organisations what types of information they may hold and how it must be safeguarded.
It does this through key principles for data protection, including the need for data to be processed and kept securely. The data must be accurate, updated where necessary and kept no longer than needed. These principles also include the use of effective means to prevent misuse by destroying personal information at the point of disposal.
Many infringements of the Act relate to the way in which data is disposed. The problem can only be overcome by treating all personal information in the same way as sensitive financial or medical records, by employing a professional information destruction service. Despite the stark realities behind identify theft and misuse of information, only a small fraction of the annual tonnage of paper waste and data processing products such as hard drives, CDs, memory sticks and DVDs, is destroyed by professional information destruction companies. By far the majority of such material continues to be disposed of via municipal refuse collection or waste paper reprocessing.
Fines
The law governing the destruction of confidential information is becoming tougher. Changes to the law in 2010 gave additional enforcement powers to the Information Commissioner’s Office (ICO), which can now issue penalty fines of up to £500,000 for breaches of the Data Protection Act, meaning that all organisations in both public and private sectors should be looking towards the services of a professional information destruction company more often to avoid such incidents.
The law sets clear rules for the destruction of personal information, and there are hefty fines in place for companies in breach of these rules. In January this year, the Information Commissioner’s Office released a warning to local councils, confirming that councillors who handle personal data must check whether they need to register as a data controller or risk a fine of up to £5,000. Following this warning, the ICO wrote to councillors across the country to urge them to check if they are fulfilling their legal requirements under the Data Protection Act. Over 6,000 councillors are currently registered with the ICO, but a further 13,000 are potentially not fulfilling their obligations.
The risks of poor data management
In recent years, financial institutions in particular have been criticised for the careless way in which they were disposing of sensitive personal information, but such criticism has also extended to public sector organisations, including those dealing with health, child welfare and pensions.
This type of data breach can not only have a negative impact on consumer confidence, but also have serious financial implications. Each individual record lost cost UK organisations an average of £64 in 2009, according to the third annual UK study sponsored by data protection firm PGP Corporation. According to an annual study by the Ponemon Institute, the cost of UK data breaches increased by 7 per cent between 2008 and 2009, and has risen by a staggering= 36 per cent in the past two years. Furthermore, an experiment carried out by IT consultancy Navigant Consulting revealed that secondhand PCs contain enough personal data to be a security threat to the previous owner.
Data found on second-hand PCs included names, addresses and photos, staff budgets and payroll schedules including names and salary details, bank account standing order payments and receipts. Consumers, as well as businesses, face hefty financial consequences when their personal data security is breached, each facing the expensive and time-consuming process of safeguarding or restoring their finances and credit ratings. It has also been known for fraud to be committed as an inside job by staff or ex-employee, so confidential waste must therefore be placed in a lockable bin with a paper slot or a tamper-proof coded sack.
An information destruction supplier should be able to provide sacks that cannot be tampered with and bins to match your office furniture that can only be accessed by key. To provide further protection, each collection and sack should contain a unique code so that customers can access a full audit trail of their paper once it has left the building.
The role of European standards
To avoid making such costly mistakes, public sector organisations should choose a trusted information destruction supplier who will dispose of their data correctly and in accordance with current laws. Compliance to European standards such as EN15713 is a basic thing to look for in prospective information destruction providers. Only by using an information destruction company that complies to EN15713 will customers be able to rest assured that their confidential material is in safe hands. The BSIA was at the forefront of developing this standard, and BSIA members were among the first to work to it.
The EN15713 standard requires that each material is destroyed to specific shred sizes, that providers should install a monitored intruder alarm and CCTV systems to protect the data while on their premises, security vetting of all staff members, and the security of collection vehicles and on-site data destruction vehicles and machinery.
A new era of data destruction
When selecting a data destruction provider, procurers should also ensure that suppliers have procedures in place to safeguard data throughout its whole life cycle.
Despite the economic downturn, environmental issues and corporate social responsibility remain high on the national business agenda, while cost savings within the public sector are of particular importance. Recycling plays a huge part in delivering both of these priorities, and plays an essential part in demonstrating an organisation’s green credentials.
A new scheme, pioneered by a BSIA member, ensures compliance with data protection regulation while implementing sustainable waste management services that can result in multiple business benefits, not least significant cost savings. The scheme, known as ‘closed loop recycling’, ensures ultimate data security by returning recycled paper back to the client after processing.
Closed loop recycling works like this: the information destruction company collects confidential waste paper from the client, shreds it and bails it. Next, the paper is sent to a collaborating paper mill, where it is recycled and turned into ‘new’ office paper. This is then sold back to the client company at a competitive rate. The success of the scheme is largely due to the positive cooperation between all parties, and to date 325 tonnes of paper have been shredded and recycled, saving 5,514 trees and helping 729m3 of waste avoid landfill. Moreover, the client company is granted peace of mind, knowing that its waste is being handled in line with European and UK regulation, and is benefiting from considerable return on investment due to the savings made by buying back the original paper once it has been recycled. More than half of the paper used by the client firm’s 2,500 partners and staff in its London office is now in fact recycled paper acquired through this scheme.
Choosing a quality provider
Using a professional information destruction company is a safe and effective method of disposing confidential data, which is compulsory for public sector organisations in order to protect their staff, customers and reputation. Members of the BSIA’s Information Destruction section adhere to strict quality standards, such as EN15713, and are inspected to ISO:9001. To locate a supplier in your area, visit the BSIA’s Company Finder on our website.

For more information
www.bsia.co.uk/companyfinder
www.bsia.co.uk/shredding

Please register to comment on this article