Identity theft, fraudulent transactions and even industrial espionage are horror stories we will all have heard about. If spiralling statistics are anything to go by, some of us will have even experienced this first hand either in our personal lives, or in business. But despite this, some organisations – and individuals for that matter – still have a casual approach in the way they dispose of confidential, personal or sensitive information.
The Office of National Statistics reveals that in the year to June 2013, more than 230,000 fraud cases were recorded in England and Wales representing a 59% increase over five years. It appears that criminals are favouring online fraud and identity theft over and above traditional burglaries. CIFAS, the UK’s Fraud Prevention Service, reports that “the takeover of customer accounts increased by 53% from 2011, meaning that data driven identity crimes now constitute the vast majority of all fraud in the UK.”
Information is a valuable asset to us all, but unfortunately it becomes even more valuable when it falls into the wrong hands. And we are not just talking about petty opportunists and organised gangs of criminals. Business documents, such as Minutes of Meetings, Payrolls, Financial or Customer Records are equally ‘valuable’ to competitors. The consequences of information being lost, or viewed by others who are not authorised to do so, can be potentially damaging to a company’s reputation as well as the obvious commercial dangers.
Over the years there have been some very high profile ‘losses of data’ either in its digital or physical form. The loss of Child Benefit disks was one of the scandals of the ‘noughties’ that dominated the news. There have been newspaper leaks of secret government documents left on trains and politicians leaving parliamentary papers in park waste bins to name but a few other high profile examples! By their very nature, these of course are going to make the headlines. But there will be many more breaches in the everyday corporate world that go relatively unpublicised.
Correct procedures must be implemented for securely disposing of personal, sensitive or confidential data, whether this is in its physical or digital form. The Information Commissioner’s Office (ICO) has strong powers it can enforce on businesses that breach data laws. Laws such as the Data Protection Act 1998 must be adhered to, as failure can result in criminal prosecution carrying a maximum penalty of £500,000 in a Magistrates Court and unlimited fines in a Crown Court.
Every business and organisation should appoint an appropriate senior individual as their Data Controller with a set of clearly defined rules about corporate records management. These rules should include how they are stored, how long they are stored for to meet compliance regulations and guidelines, who has access to them, how regularly they are reviewed, and ultimately the way in which they are disposed of at the end of their lifecycle. For paper documents, this may include a ‘shred all’ approach.
Confidential documents, or those carrying sensitive personal details, should never be cast aside in a general office waste paper bin, or recycling bin. It is imperative that employees know which ‘bins’ to use for different types of information, and regularly communication on this subject should be a priority. There should be a secure console or bin for the disposal of confidential paperwork destined for shredding. It is worth remembering that even faint or partially printed documents can be valuable to fraudsters or employees with a grudge, so do not presume that because you can’t read them, someone else can’t too!
While many offices will have their own shredders for document disposal, it is often deemed an inefficient use of staff time to do this in-house. Industrial shredders can carry out the task in a fraction of the time. That is why many organisations choose to outsource the service to a specialist secure shredding partner. Some providers of confidential shredding will offer this service on-site using a mobile shredding unit/lorry, while others take it away to their off-site shredding facilities. The latter should always be conducted under video surveillance with robust tracking/security systems in place.
Many larger organisations will choose to have regular scheduled shredding services, while smaller businesses sometimes find ad hoc, or one-off shredding purges more beneficial. It really depends on the amount, and nature of the paperwork being generated, so there isn’t a one-size fits all!
When choosing a shredding partner, it is important to choose wisely. This is a service that should not be chosen based on price alone, or viewed simply as waste management. This is a matter of document security so never compromise on quality and integrity.
It is always advised that your shredding partner only uses its own staff and vehicles. Staff should be DBS checked and vehicles should be fitted with on-board tracking devices.
Find out about the shredding company’s credentials. Do they, for example, have the British Shredding Standard EN 15713:2009? British Security Industry Association (BSIA) Information Destruction companies comply with this standard that is considered an excellent benchmark for the industry. This means that your shredding is being carried out by a company that meets strict audit requirements in accordance with a set of industry security standards. It also dictates a compulsory minimum shred size, in various ‘category’ levels. Security level 3 is the minimum but the higher the level, the higher the security. There are some shredding partners that even surpass the basic requirements of this standard and shred to Government Security level 6 – the level accepted for top secret information.
A mobile shredding service will enable you to oversee the shredding of your documents from the convenience of your own premises. If documents are being taken away for off-site shredding, then ensure that all shredding sacks are fastened with specialist security ties, and barcoded with a full tracking system in place.
Certificates of destruction should be issued at the end of the process irrespective of whether the shredding is conducted on or off-site, and these form very important company records in their own right.
Environmental issues should not be a concern either. Many shredding companies will transport the shredding to their own secure facilities, where they are baled and taken away for recycling into new paper based products.
Be safe, not sorry when it comes to secure document destruction.