What’s In Your Bin? How To Stop Document Disposal Causing Data Breaches

Document Disposal

Disposal is not the same as destruction, as a recent UK study reveals that up to 40 per cent of London’s commercial bins contain confidential business documents. The study investigated bins located near a number of law firms, banks, hospitals and government agencies, discovering a concerning number of paper documents such as email print outs, letters and reports, many of which contained sensitive personal information.

Every organisation develops processes to manage its information from the moment a new document is created, through periods of high activity (when many may need to access the document on multiple occasions) until its final destruction or long-term archiving. It is at the very end of this lifecycle that organisations appear to make mistakes.

Document destruction is probably the most over-looked aspect of information management. A company’s attention can often focus on the protection of documents as they are created or processed by the company; and those responsible for implementing policy – most typically the IT department – are often more comfortable dealing with digital data than with paper documents and archives.

However, the secure and legally compliant destruction of sensitive paper documents is hugely important. The consequences of failing to destroy confidential information securely can be serious, including the loss of competitive or customer information and exposing the business to the possibility of a punitive fine and severe reputational damage. Here is some guidance for businesses that seek to protect their information at the end of its life cycle:

1. Understand the legal framework – and ensure your employees do too

Important documents have pre-defined retention periods. Bank statements, for example, must be retained for six years. It can be just as damaging to destroy a document your business needs for regulatory purposes or legal disclosure as would be to fail to destroy a document that you are no longer required to retain. Employees might be unaware that they may need to provide documented evidence of disposal.

2. Start shredding

An in-house shredding solution can look like an obvious solution, but what might appear at first sight to be a money-saving approach may well come at a cost. Machines can be time-consuming or resource-intensive to operate and maintain, and employees using the machines may not be aware of all the legal implications.

3. Consider bringing in a third party

A trusted partner with the relevant expertise will understand the compliance issues for your business and be able to provide the evidence of secure destruction increasingly required by external authorities. The best firms will help you to design, develop and implement a secure shredding programme from collection to destruction and even recycling. Moreover, an expert in secure destruction will be able to destroy digital media such as CDs and DVDs securely.

4. Ensure that policy and processes are followed consistently

There is often a gap between what those responsible for creating policy think has been put in place and the reality of the workplace. What might be a well-understood and observed policy in the financial department at head office may look completely different, for example, in the marketing department of a local branch.

5. Make sure that policies and procedures are understood and supported by every employee

Without this, the best plans in the world are exposed to failure. Should the worst happen, you can be sure the regulator will want to see proof of the steps taken to minimise and prevent risk.

It’s all about accountability and responsibility. Staff should know how to handle all documents with a consistent ‘chain-of-custody’ that results in a tightly controlled, accepted process that covers the lifecycle of paper documents as they pass through the organisation.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Phil Greenwood, Director of Information Management and Business Outsourcing at Iron Montain, is responsible for delivering information and records management solutions into the UK’s largest Public, Private and NHS customers. Phil has over 10 years’ experience working with UK and International records management. He is involved with the UK Information and Records Management Society. Phil has worked within service delivery and customer facing roles, as well as in general management roles within the outsourcing and information management industries. Legally qualified, Phil has also spent time as a fee earner within law firms and has a strong understanding of the way that information and services drive the core business of client organisations.