The importance of secure information destruction

James Kelly, chief executive of the British Security Industry Association, discusses some of the key considerations when securing information destruction services

With the NHS recently being the target of a large scale cyber attack, never has there been a more important time for healthcare professionals to consider the importance of information destruction. Last year, figures released by fraud prevention service Cifas showed worrying figures regarding identity fraud. The statistics, which came from 277 banks and businesses, revealed that there were nearly 173,000 recorded frauds in 2016, reported by the BBC as ‘the highest level since records began 13 years ago’. As such, this increasing risk of fraud means ensuring that patient and staff records, as well as financial documents, are destroyed securely, is an absolute necessity.

Hospitals and other healthcare establishments contain a wealth of valuable items, such as pharmaceuticals and medical equipment, meaning they are already an attractive target for thieves. However, the personal information stored within the healthcare sector can be an even more lucrative target, providing criminals with the means to commit fraud and identity theft. The information stored within the healthcare sector is vast, including names, addresses, birth dates, National Insurance information, financial details and family histories, which must all be stored securely so as to comply with the Data Protection Act. This compliance applies right down to the destruction of such information, as improper storage or destruction of such information can mean the organisation in question is breaching the Data Protection Act, resulting in hefty fines from the Information Commissioner’s Office (ICO) and huge reputational damage to the establishment.

Under the Data Protection Act 1998, everyone responsible for using data has to follow the specific data protection principles. Such principles include: ensuring that data is used fairly and lawfully, for limited, specifically stated purposes; used in a way that is adequate, relevant and not excessive; accurate; kept for no longer than is absolutely necessary; handled according to people’s data protection rights; kept safe and secure; and is not transferred outside the European Economic Area without adequate protection.

The seventh principle of the Data Protection Act stipulates that an organisation must take appropriate measures against accidental loss, destruction, or damage to personal data and against unlawful processing of the data. In order to fully comply with the Data Protection Act, a handler must have a written contract with a company capable of handling confidential waste, which can provide a guarantee that all aspects of collection and destruction are carried out in a secure and compliant manner.

Electronic media and information destruction
While the use of electronic media is increasing – making cyber crime an even more threatening risk – people are still printing from the screen onto paper, especially in a healthcare environment. Furthermore, electronic media will also need to be disposed of at some point, such as a computer or laptop that is no longer operational. As such, when looking to destroy both paper and electronic media waste, it is absolutely essential that if you do not have the in-house expertise and knowledge, do not take any risks and make sure you take the time to outsource the destruction to a professional information destruction provider.

Information destruction covers a wide range of materials, including paper, computer hard drives, laptops hard disks, CDs, DVDs, USBs, credit cards and SIM cards. It can even be applied to branded products, such as uniforms of badges, which, if in the wrong hands, could allow a criminal to gain entry into restricted areas of a premises undetected. Secure information destruction means that such materials are destroyed to the point that they cannot be reconstructed.

Don Robins, chairman of the British Security Industry Association’s (BSIA) Information Destruction Section, provided some essential advice to key decisions that may be looking for a secure information destruction supplier: “When selecting an information destruction company, steps should be taken to ensure they will protect your digital data until it has been safely destroyed. Often, these steps are common sense, but surprisingly the major consideration is the initial financial cost rather than the positive assurance gained from using an accredited destruction company. Make sure your choice of company uses security cleared personnel, that they have clear and secure procedures from collection through to destruction, that you have selected the appropriate destruction particle size for the material being destroyed and that they provide a destruction certificate.”

He went to on to add that: “You should also check for references; make sure you know who the actual information destruction service provider company is, check that they are members of a professional association, such as the BSIA, and draw up a contract with explicit requirements. Possibly, the first step is to make sure you have a person within your organisation that will be responsible for the destruction of media assets and the data contained on them.”

Choosing a reputable supplier
In addition to these important steps, the most important factor in secure data destruction is choosing a reputable supplier that complies with the essential European standard BS EN 15713:2009 for security shredding, as well as BS 7858 for staff vetting.

Don explains: “It is crucial to keep these standards in mind when sourcing an information destruction supplier, as these standards ensure that the companies providing data destruction services are doing so in a secure manner which provides maximum security for your information.”

BS EN 15713:2009 is a crucial requirement as it provides recommendations for the management and control of collection, transportation and destruction of confidential material and recycling in order to ensure that the materials will be disposed of securely and safely. The BSIA’s Information Destruction Section was actually a key player in the development of the EN 15713 standard and helped provide specifications on how the processes should be handled within the secure data destruction industry.

The standard contains specific requirements pertaining to the confidential destruction premises, the contracts between the client and the organisation, the personnel working for the destruction company, the collection and retention of confidential material, the vehicles used, environmental requirements as well as customer due diligence. To help customers gain a full understanding of the requirements set out in EN 15713, the BSIA’s Information Destruction Section created a helpful guide to highlight the essential elements of the standard, as well as providing some best practice advice when procuring an information destruction company. The guide can be downloaded free of charge from the BSIA’s website.

Procuring a professional, reputable information destruction company must be at the top of the priorities list for key decision makers and corners must not be cut when it comes to quality. The BSIA recently commissioned a white paper titled The (Real) Price of Security Solutions – A White Paper on the Challenges of Buying and Selling High-Quality Security Solutions which explores the price versus quality debate from the perspectives of both buyers and sellers of security solutions. The purpose of the paper was to identify the relative advantages and disadvantages between low-priced and high-quality solutions; unsurprisingly one of the key findings of the paper highlighted the fact that end users would find it far more beneficial to invest in high-quality security solutions rather than making decisions on initial purchase price alone.

A positive collaboration between the security provider and the buyer is also extremely important, allowing the security buyer to gain a clear understanding of the end user’s needs so that they may provide them with a suitable solution. The results of the white paper serve to reinforce the fact that healthcare professionals must only source an information destruction provider who meets with EN 15713 in order to guarantee a quality service. By working closely with your supplier, they will also be able to develop a good understanding of your destruction requirements, developing a regular schedule and contract to suit your needs.