Information destruction

There is a desire in the public sector to increase customer service, decrease cost and provide a less intrusive means of collecting information, but with 99 per cent of fraud being undetected in the public sector it becomes vital that such information is being disposed of correctly. This is of particular importance today when we are witnessing an increase in identity theft which now costs Britain £1.7 billion.

Handling personal information
With an increase in scrutiny over personal data held by large organisations, the Data Protection Act includes legal obligations for any organisation that processes personal information, whether about employees, customers or members of the public. The Act was brought into force to balance the rights of the individual and the organisations that are legitimately holding and using the confidential information.
    
Such data should be processed and controlled securely and can include: customer records, financial reports, payroll data, personnel data, computer hard disks, CDs/DVDs and CCTV footage. The Office of the Information Commissioner (ICO) regulates compliance of the Act.

Key principles of the act
The Act sets out eight key principles. Data must be fairly and lawfully processed; processed for a specified purpose; adequate; relevant and not excessive; accurate and, where necessary, kept up to date; kept for no longer than necessary; processed in line with the rights of the individual; and kept secure. Also, data may not be transferred to countries outside the European Economic Area unless there is adequate protection for the information.
    
An organisation’s responsibility to keep information secure also extends to the way in which data is disposed of, which includes destroying personal information effectively so it cannot be used in a fraudulent act. If data is not disposed of correctly, this may contravene the requirements of the Act and legal action could ensue.

Disposing of personal information
During the disposal process, if personal information is not responsibly disposed of, criminals will have access to data they can then misuse. Every organisation that holds confidential information is at risk of becoming a victim of identity theft or of allowing their customers or staff to become victims. Organisations are running the risk of significant losses if they are not taking preventative measures to protect their confidential information.
    
Identity theft involves fraudsters obtaining sufficient information about a person to be able to assume their identity and obtain goods, credit or services, in a false name. An example of this within the NHS may be a ‘patient’ seeking healthcare under someone else’s name, which can include the issuing of prescribed medications.
    
The Government’s planned introduction of ID cards is thought to be one way around this issue, with the use of biometric security to prevent identity theft. The NHS Care Record, a computerised system that will include core information on a patient’s health background, will also aid in the reduction of identity theft as access to information will be restricted through various security measures e.g. smart cards and pin access.
    
Many crimes that appear simple in structure will often be the tip of the iceberg, leading on to other interconnected crime. For example, identity thieves who assume someone else’s identity to access health services become, in the organisation’s eyes, the ‘real’ patient. Detailed and legitimate headed documentation could be sent to the address the fraudster uses and this can then be used to legitimise further activities, such as claiming benefits.
    
Many organisations already apply adequate measures in terms of securing access to confidential data, for example, lockable filing systems and strict procedures for limiting access to relevant computer records. However, it is becoming increasingly apparent that many infringements of the Act, and therefore the opportunity to prevent fraud before it occurs, relate to the way in which data is disposed of.

The Information Commissioner’s Office
The Information Commissioner’s Office (ICO) is the UK’s independent public body set up to promote access to official information and to protect personal information.
    
In their 2006/07 annual report, it was noted that 24,000 enquiries and complaints regarding misuse of personal information held by retailers, banks, public bodies and government departments had been made.  These breaches included NHS and Social Services, which had lost details such as National Insurance (NI) numbers and people’s addresses when notebook PCs had been stolen. The irresponsible disposal of confidential information is just one way that data is being misused.

Assess the risks
Each organisation must have a data control policy and use processing methods that indicate they are employing appropriate procedures to prevent unlawful processing/disclosure of data, accidental loss, destruction of, or damage to, personal data. To aid in the assessment of an organisation’s security risks from identity fraud and other information crimes, the British Security Industry Association (BSIA) has produced an audit procedure to help with the process.
    
The Security Waste Audit will put organisations in a better position to identify their waste disposal needs and act accordingly. This can be downloaded from www.bsia.co.uk/shredding and encourages the adoption of a professional information destruction company to ensure confidential waste is disposed of correctly.
    
Information Destruction (ID) companies can advise organisations on key areas including: compliance with the Data Protection regulations, preventative measures against identity theft and ensuring information is destroyed properly. By disposing of confidential information using an information destruction company, which is inspected to the British Standard BS 8470:2006, businesses can rest assured that they are meeting legal requirements and that their information will not fall into the wrong hands.
    
BSIA Information Destruction members are inspected to the BS 8470 standard and the quality management standard ISO 9001:2000 by a UKAS accredited certification body. BS 8470 provides recommendations for the management and control of the collection, transportation and destruction of confidential material to ensure that such material is disposed of securely and safely. It outlines the key requirements of a professional ID company, with security being integral, and covers the following areas: material specific shred sizes; requirements regarding the installation of a monitored intruder alarm and a monitored CCTV system; a prerequisite for the security vetting of all staff; and obligations with regard to the security of collection vehicles and on-site destruction vehicles.
    
Code of Ethics
BSIA members also comply with a Code of Ethics. A reputable company will be registered with the Environment Agency, will provide organisations with a signed certificate of destruction for each completed batch, and be aware of the need for a signed duty of care waste transfer note. Professional ID companies will also provide a receipt detailing the European Waste Codes.
    
Society is increasingly focusing on personal privacy and wider confidentiality, which means there is greater scrutiny of an organisation’s performance in relation to personal data collection and handling. Organisations such as the NHS, which handle vast amounts of confidential records, can avoid such potential causes of legal action through the involvement of ID companies to ensure that their legal obligations are covered and their reputation protected.
    
The British Security Industry Association is the trade association covering all aspects of the professional security industry in the UK. Its 570 members provide over 70 per cent of UK security products and services and adhere to strict quality standards. See www.bsia.co.uk, email info@bsia.co.uk or telephone  0845 389 3889.

For more information
More information on information destruction can be found by visiting www.bsia.co.uk/shredding or by calling 0845 389 3889