Data Protection - Once more unto the breach

Continuous reports of data breaches, as well as an increase in public concern over the way sensitive information is held by organisations, have in fact all contributed to tougher regulations and requirements being placed on companies across the sector.

Although the consequences of failures in data security are known to all, it is concerning to see how organisations are still unaware of how to handle their sensitive information, and, more importantly, who they should select to ensure its adequate destruction. Standard-compliant information destruction companies can greatly relieve some of the pressure.

With identity fraud continuing to threaten our society, institutions of all sizes should take extra precaution when destroying information, regardless of the material. The careless disposal of data often enables criminals to steal identities or conduct fraudulent transactions without anyone noticing. In addition, data breaches carry with them hefty fines and result in significant reductions in consumer confidence. This can be extremely damaging for all kinds of organisations, in particular within the health sector, where patients’ trust is an absolute requisite.

A tougher attitude
The £70,000 fined to the NHS in April is just the latest in a string of moves that has highlighted a tougher attitude by regulators against companies ineffectively handling their data, or falling victim of breaches.

Earlier in the year, a new framework to ensure consistency throughout all EU member states was unveiled by European Justice Commissioner, Viviane Reding. The framework, which applies to all 27 European member states, requires companies to report any breaches within 24 hours, to employ a Data Protection Officer for any organisation of 250 staff or more and also warns that businesses may be fined up to 2% of turnover for a data breach. Critics of the framework have questioned some of its aspects including the strict 24 hour cut-off time for data breach notifications. However, the reality is that these changes are asking companies to make an even bigger commitment to their confidential data handling processes, and take responsibility for any shortfalls in their security strategies.     

Despite the widely reported risks of data breaches and identity fraud and increased pressure by regulators, however, research undertaken last year by the BSIA underlined the fact that there remain serious gaps in how data disposal is handled by public and private sector organisations across the UK. One worrying statistic is that a third of organisations questioned are still relying on standard municipal waste disposal to deal with even the most sensitive of their information destruction needs, with all the dangers which that entails.

Significantly, the same piece of research showed that nearly 19% of organisations had been a victim of serious data fraud. Where such data breaches occurred it was noted by the respondents that half of these involved paper, and the rest were related to computer hard-drives. This demonstrated that, even in a world where cyber threats are continuously increasing, paying attention to the way physical material such as paper, storage devices and branded goods, are destroyed is still a crucial aspect of security.

Conclusive Proof
Given the potential for breaches and the essential task they perform, any company bidding for information destruction work should, as a prerequisite, be able to provide conclusive proof that they adhere to a strict code of ethics and satisfy the provisions laid out in the pivotal European Standard EN 15713. The standard provides information destruction companies with recommendations for the management and control of collection, transportation, destruction of confidential material and recycling to ensure such material is disposed of securely and safely. As well as helping to ensure the highest standards, EN 15713:2009 therefore provides a valuable benchmark to assist users in choosing a provider.

This is particularly essential in a sector where the sensitive nature of the documents and materials dealt with - including patient records ranging from demographic data such as age, occupation and race to addresses and contact details, health condition and financial details - require the tightest of procedures in order to ensure maximum security for the information held.

Unfortunately, however, companies in the sector fail to understand the implications, scope and importance of the standard, as these documents can be at times technical in nature.  As revealed by the same research carried out last year by the BSIA in fact only 50% of facilities managers who have taken the step to outsource data disposal knew whether their provider actually complied with EN15713. This is concerning, as the BSIA believes it should be the first question asked of any secure waste disposal business by a prospective customer.

Active Part in EN15713
The BSIA’s Information Destruction section played an active part in the development of EN15713, and to help educate end-users on its importance, the Association launched earlier in the year a one-page easy-to-understand informational leaflet providing its key points of consideration. This be downloaded from the BSIA’s Information Destruction Guidance webpage -

All BSIA information destruction section members are inspected to the European standard, as part of the audit procedure for their obligatory ISO 9001:2008 quality accreditation. This means that they will be independently audited to ensure they continue to comply with the requirements laid down within the standard.

Moreover, all members adhere to their section’s Code of Practice, and are committed to educating the sector and its customers on all issues relating to the way sensitive material is handled. With plenty of experience in the industry, they should be health sector organisations’ first port of call for any information destruction requirement.

BSIA members meet strict quality criteria and as such, the Association’s website is a great place to start when considering your next security investment.

For more information