Keeping data out of the wrong hands

The careless disposal of information has long been a cause of concern to public and private sector organisations alike. Over the years, several high profile examples of this carelessness have hit the headlines, including the Downing Street advisor who threw away sensitive memoranda with his household waste and the random check of rubbish bags outside branches of high street banks that uncovered information about more than five thousand customers. However, the risk extends beyond paper records. Another press report described how computer hardware discarded by a major international bank had been used to uncover the share dealings of high profile customers by reconstituting the supposedly ‘wiped’ hard drives.  
    
A number of recent reports have also highlighted the potential consequences of inadequate controls over the handling and disposal of sensitive data in the health care sector. Examples include the theft of laptops containing confidential information, patients’ x-rays dumped for anyone to find, wholesale data losses and even the sale of a PC on eBay, complete with its files of medical records. Such lapses remind us that information needs to be protected at every stage, and that includes the way it is disposed. Failures of this kind are often unlawful as well as careless but prosecutions for breaches of the Data Protection Act generally take place only after the harm has been done. Good practice must therefore aim to anticipate and prevent problems before they occur.

Complete destruction
The security industry took an early lead in addressing the serious implications for businesses and others engaged in data processing. Shortly after the Data Protection Act came into force, the Nationwide Association for Information Destruction (NAID) and the BSIA merged to form the BSIA’s Information Destruction Section, which now represents the bulk of the UK market. The section defines its remit as the secure destruction of information in all its forms, including paper, computer media and hardware, as well other items that could cause problems if they fall into the wrong hands.
    
The risks are wide ranging, which is why the need for secure disposal extends beyond physical documents to include information held on computers and storage devices, as well as other potential means of access to data such as staff identity documents and uniforms. Computer equipment, for example, must never be disposed of until all the personal information has been securely removed, such as by destroying the hard disk. Simply deleting files is not an adequate response. Modern cyber criminals know how to manipulate systems and recover deleted information in order to steal identities, conduct fraudulent transactions and even commit blackmail.  
    
Crucially, the careless disposal of confidential data often allows them to do this without anyone knowing the information has been compromised. If that happens, it is obviously impossible to take appropriate countermeasures. Almost any kind of information is valuable to criminals, for example, patients’ records, financial reports, payroll information and personnel data. The unlawful use of such information contributes to an explosion of identity theft crimes that are now estimated to cost the UK about £2 billion every year. Identity theft allows criminals to obtain goods, credit or services in someone else’s name and offenders target both public and private sector providers, including using stolen identities to fraudulently obtain prescription medicines and state benefits.

Legal obligations
The law therefore imposes legal obligations on any organisation that processes personal information, whether about employees, customers, patients, or members of the public. The act does two things: it tells organisations what types of information they may hold and how it must be safeguarded. It does this through key principles for data protection, including the need for data to be processed in line with the rights of the individual, kept secure and retained no longer than needed. These principles also demand the use of effective means to prevent misuse by destroying personal information at the point of disposal. It is crucial in this respect to understand that the key element of disposal is to render the material both unusable and incapable of being reconstituted.   
    
Many infringements of the Act relate to the way in which data is disposed of. The problem can be overcome by employing a professional information destruction service, but despite the ready availability of this common sense solution, companies and organisations continue to be prosecuted for improper practices. Many more escape prosecution because their carelessness is never discovered.
    
It is known that only a small fraction of organisational waste paper and data processing products such as hard drives, CDs, memory sticks and DVDs are destroyed annually by professional firms. By far the majority of such material continues to be disposed of via municipal refuse collection or waste paper reprocessing. Neither method generally involves any kind of secure handling, yet it is inevitable that much confidential data is included in this general waste and therefore a significant cause of avoidable risk. It is not surprising in these circumstances that the rubbish bin is a regular source of prosecutions under the Act, just as it has long been a core element of the private detective’s trade.

Facing liability
The law sets clear rules for the destruction of personal information. It should be carried out by a company which guarantees under contract that processing (destruction) is done securely and effectively. The organisation and its chosen information destruction contractor are then jointly liable for any breaches of the Act. Liability extends to individual managers and data controllers, who could face personal fines up to £5,000 and the prospect of a criminal record. Another possibility is civil action by a complainant, since anyone who suffers damage as a result of contraventions of the Act is entitled to compensation. Convicted organisations could also be subject to future spot checks to ensure compliance. Significantly, it is a defence to show that all reasonable care has been taken to comply and the BSIA’s Information Destruction Section was formed to enable organisations to meet their legal obligations.  
    
The section’s remit is to assure good practice through established standards for the collection, transportation and destruction of confidential material. Its members collect confidential waste at source and provide a fully trackable service up to the point of destruction. The process consists of waste collection by secure transport, inspection, removal and destruction of rubbish, and the shredding, pulping and recycling or incineration of other material. Recent additions to standards and operating practices include the publication of a European Standard for the sector - EN 15713:2009, which was written initially as a code of practice for BSIA member companies, before its development into a British and finally European Standard.
    
EN 15713:2009 describes the essential requirements and operating procedures for a professional information destruction company, including employment practices such as the security vetting of all staff members and details relating to the security of its premises by means of monitored intruder alarms and CCTV systems. Detailed rules are set down for the actual destruction of data, incorporating material-specific shred sizes, and requirements for the security of vehicles used both for the collection and on-site destruction of confidential waste. As well as helping to ensure the highest standards, EN 15713:2009 provides a valuable new benchmark to assist users in choosing a provider. All BSIA Information Destruction Section members will be inspected to the new standard, as part of the audit procedure for their obligatory ISO 9001:2008 quality accreditation.

Improving compentence
Another significant development in the sector has been the publication of new National Occupational Standards (NOS), which define the level of competence needed to work in information destruction and increase professionalism. The BSIA worked closely with Skills for Security in developing the new standards, which all member companies are being urged to incorporate into their training practices. The publication encompasses all key activities undertaken within the sector, as well as situations employees are likely to encounter in their day-to-day work. It covers a comprehensive range of topics from customer service to risk assessment, the use of IT, vehicle load security, vehicle and equipment safety and even good driving techniques.
    
The NOS goes into considerable detail in specifying standards of occupational competence for the sector. It deals with all aspects of the operation, including collecting consignments of confidential material, complying with proof of collection requirements and maintaining security during the loading and transportation process. The use of documentation to meet audit trail requirements and comply with relevant legislation is covered in detail, encompassing the use of waste transfer, pre-treatment, collection and delivery notes, vehicle check sheets and certificates of destruction. It goes on to describe performance criteria and essential knowledge for the destruction of data, incorporating the use and maintenance of mobile and on-site equipment. A separate section is devoted to providing a quality service when carrying out information destruction operations, including communicating effectively with customers and colleagues, and identifying ways to improve performance.
    
The BSIA has encouraged all companies operating in secure waste disposal to embrace the NOS, which has clear benefits in terms of creating a highly qualified workforce and raising standards across the industry as a whole.

The British Security Industry Association (BSIA) is the professional trade association of the UK security industry. Its members produce over 70 per cent of the country’s security products and services to strict quality standards. For further information, visit www.bsia.co.uk. The BSIA operates a local rate helpline on 0845 389 3889.

For more information
For further details of the new NOS, visit www.ukstandards.org.uk. To find out more about the BSIA’s work in information destruction visit www.bsia.co.uk/shredding