December 19, 2003—The recent report by credit services firm Experian highlights the importance of disposing of confidential data securely but be careful who you use to do the job, says the British Security Industry Association.
Experian looked at the contents of 71 commercial organizations rubbish bins. Its research revealed that 45% of companies threw away headed paper, 24% directors signatures, 44% whole invoices and 20% company bank account details—with no attempt to shred or destroy them. The report linked these findings to the 1.34bn cost of identity fraud in the UK.
The 1998 Data Protection Act sets a legal requirement for companies to provide sufficient guarantees of security measures for the disposal of confidential data. Businesses are held jointly liable with the company they employ to dispose of their waste if confidential data is mislaid during the destruction process.
The BSIA advises organizations to use specialist information destruction companies and says the disposal of confidential material should be considered part of the security function because of the risks.
A company could be destroying confidential data in breach of the Data Protection Act, whilst the security of employee and client information is central to the good reputation of a business, says the BSIA.
Confidential material—from paper to computer hard drives—should be destroyed under a written contract, with assurances that the site is secure, that security staff have been vetted, and that material will be kept for no longer than 72 hours before destruction. Importantly, material should be shredded down to a size that prevents any further use.
BSIA members formed the first code of practice for information destruction, which is being developed into a British Standard. It ensures that confidential material is destroyed in accordance with the Data Protection Act, under contract, on secure sites, in under 72 hours, and is carried out by staff vetted to British Standard BS7858.
—Richard Byatt
Reprinted with permission; copyright 2003 i-FM
