Doing away with data

As a nation, the UK is becoming increasingly aware of personal privacy, meaning that there is a greater scrutiny over any organisation’s performance in relation to information destruction. A recent example of this was when security was breached at NHS Surrey, after computers containing confidential files were sold on eBay without the hard drives being wiped or destroyed securely. It was one of the biggest security breaches ever witnessed by the now dissolved NHS Surrey, all due to the handing over of old computers to a new service provider who was not compliant with essential standards.
Adam Chandler, chairman of the BSIA’s Information Destruction Section, comments: “Organisations tend to ‘turn a blind eye’ when it comes to selecting an information destruction service provider. The dangers associated with doing this were highlighted perfectly recently, when the Information Commissioner’s Office (ICO) issued a £200,000 fine to Surrey NHS for engaging with an unapproved supplier who was promising a cut price job for the value of the material they were supposed to be destroying. In this case, it was computer equipment – some of which ended up on eBay.”
Who is responsible?
Information destruction itself ensures the secure disposal of information in all of its different forms. This varies from paper to media equipment such as CDs and memory sticks. Branded products such as uniforms also need to be discarded as if they are retrieved by the wrong person, they could pose a security threat to a healthcare establishment. These materials should be destroyed either on-site or off-site, to the extent that they may never be reconstructed. The client is then usually provided with an audit trail and a certification of destruction for their reference.
There can sometimes be a question mark over who is responsible for ensuring the discarding of confidential documents. When asked about his experiences with information destruction in the health sector, Anthony Pearlgood, a member of the BSIA’s Information Destruction Section stated that: “Only a small fraction of organisational waste paper and data processing products such as hard drives, CDs, memory sticks and DVDs are destroyed annually by professional firms. It is important that key decision makers do not make these choices lightly, and are sure to source a reputable supplier that meets the relevant standards,” he added.

What are the standards?
There are particular standards that need to be adhered to by companies that are responsible for information destruction. Such standards guarantee that the service being provided is secure and professional, an essential requirement of the Data Protection Act. Failure to abide by these requirements can result in a hefty fine from the Information Commissioner’s Office.
EN15713 is one of the key European standards for information destruction and this includes a range of requirements that an information destruction company must meet to guarantee a reputable service. These standards range from having an administration office on-site where records and documentation are kept, as well as having premises that are isolated from any other business or activities that operate at the same site. Intruder alarms and CCTV should also be present especially in areas where unloading, storage and processing of information is conducted.
BSIA Information Destruction companies all meet with this essential standard and are also required to comply with BS 8470, a British standard which includes the identification of product specific shredding sizes, guaranteeing that the information is destroyed beyond the point of irreparability. More information about these standards can be found on the BSIA’s website.

Looking ahead
Adam Chandler comments on the section’s outlook for the next year: “Over the next year we aim to continue the section’s key goal of educating customers on instances when they are most at risk of fraud and how the improper use of confidential information contributes to an increase in identity theft crimes.
“The commitment of BSIA members to best practice enables us to help our customers at a time when their businesses are most at risk from fraud.

“Almost any kind of personal information is valuable to criminals, whether it is residents’ records, financial reports, payroll information or personnel data. The unlawful use of such information contributes to an explosion of identity theft crimes and could put the institution, customers, or even suppliers, at risk.”
As the section chairman, Adam has been tasked to review the section’s strategy for the next year. “Like all sections, we are currently reviewing our strategy for the next two/three years and, as always, one of the key issues will be to deliver excellent value for our members and maintain the BSIA Information Destruction Section’s position as the leading association in our sector,” Adam explains. “As such, we are constantly looking for ways to improve standards and raise our profile. Whilst the aim is to deliver a quality service, there will always be challenges facing the information destruction sector.
“Our members are operating within an extremely competitive market place, where a unique combination of conditions continues to be felt,” he says. “Firstly, the contraction of the market due to the recession resulted in huge declines of ‘paper in’ volumes, and that naturally feeds through to ‘paper out’, which directly affects the market available to our members. Secondly and more than likely related to this decline, the value of recovered fibre peaked a couple of years ago but remained unusually high for an extended period.”
Consequently, the temptation of high paper values has attracted service providers into the market that do not necessarily hold all the correct accreditations, along with the systems and processes that impinge on that provider as a result. In very difficult trading conditions, some organisations might be tempted to ‘turn a blind eye’ when it comes to selecting a service provider in our sector.

As such, key decision makers in healthcare establishments should be aware of these new developments in the market and ensure that they are absolutely certain that their chosen supplier meets all the correct accreditations.

Adam is keen to educate organisations on the value of making sure they choose a compliant provider to safely discard of confidential documents. The market is being driven down at the cost of security, meaning companies are happy to take a risky approach to the procurement of data destruction services, even knowing the consequences of a data breach. However, it is absolutely not worth taking a chance on a non-compliant provider for the sake of cost savings. The risk isn’t always worth the reward.
Previously the Information Commissioner’s Office has been able to issue penalty fines of up to £500,000 for data breaches; Recent fines highlight lessons to be learned about information destruction
When it comes to securing an information destruction supplier, it is absolutely essential that decision makers are choosing a company that meets with the essential standards highlighted in this article. Members of the BSIA’s Information Destruction Section all meet with these standards and meet with rigorous membership criteria.

Further information