Security a thing of the past

With National Identity Fraud Prevention Week in October, and the Information Commissioner recently branding health sector data security as a “systemic problem” there has hardly been a more appropriate time to talk about the way confidential waste is handled in health organisations.

Identify fraud is an issue that has become increasingly prevalent in recent years and can have a huge effect on businesses. If confidential information is stolen from a health sector organisation, the personal details of patients and customers can also be put at risk. Furthermore, health care establishments are running the risk of significant losses, not to mention the loss of reputation and patient confidence if they are not taking preventative measures to protect their business’ confidential information during the disposal process.

Internally, there are a number of steps that organisations can take to improve the way sensitive information is managed. UK data protection regulation also imposes strict laws as to how data should be handled, and reliable information destruction companies will meet the regulation’s requirements, and also comply with National and European standards.

A systemic problem
The health sector holds heaps of patient and customer information, and sadly has a long history of data breaches, with the Information Commissioner recently branding its approach to data security as a “systemic problem” following the exposure of a further five breaches involving the disclosure of personal information. Moreover, according to a report published by the ICO in the summer of 2010, the NHS topped the list of security breaches reported involving the loss of personal data since November 2007. The publicly-funded healthcare system reported more than 100 breaches due to stolen data or hardware, 87 due to lost data or hardware and 43 cases due to error. Since then, the ICO has called for tightened data disposal procedures. However, with both public and private sector facing considerable financial pressure, the risk that waste management strategies may be overlooked in an effort to save money, is a very real one.

Information security and the law
Under the Data Protection Act, the law imposes obligations on any organisation that processes personal information, whether this relates to employees, customers or members of the public. The act essentially does two things: it tells organisations what types of information they may hold and how it must be safeguarded. It does this through key principles for data protection, including the need for data to be processed and kept securely. The data must be accurate, updated where necessary and kept no longer than needed. These principles also include the use of effective means to prevent misuse by destroying personal information at the point of disposal.

Many infringements of the act relate to the way in which data is disposed of. The problem can only be overcome by treating all personal information in the same way as sensitive financial or medical records, by employing a professional information destruction service. Despite the stark realities behind identify theft and misuse of information, only a small fraction of the annual tonnage of paper waste and data processing products such as hard drives, CDs, memory sticks and DVDs, is destroyed by professional information destruction companies. By far the majority of such material continues to be disposed of via municipal refuse collection or waste paper reprocessing.

The law governing the destruction of confidential information is becoming tougher. Changes to the law in 2010 gave additional enforcement powers to the Information Commissioner’s Office (ICO), which can now issue penalty fines of up to £500,000 for breaches of the Data Protection Act, meaning that all organisations in both public and private sectors should be looking towards the services of a professional information destruction company more often, in order to avoid such incidents.

Counting the cost
Almost any kind of personal information is valuable to criminals whether it be residents’ records, financial reports, payroll information and personnel data. The unlawful use of such information contributes to identity theft crimes, which allows criminals to obtain goods, credit or services in someone else’s name. Offenders target both public and private sector providers, including the use of stolen identities to fraudulently obtain prescription medicines and state benefits.

Data breaches can not only have a negative impact on consumer confidence, but also have serious financial implications. Each individual record lost cost UK organisations an average of £64 in 2009, according to the third annual UK study sponsored by data protection firm, PGP Corporation. According to an annual study by the Ponemon Institute, the cost of UK data breaches increased by seven per cent between 2008 and 2009, and has risen by a staggering 36 per cent in the past two years. Furthermore, an experiment carried out by IT consultancy Navigant Consulting revealed that second-hand PCs contain enough personal data to be a security threat to the previous owner.

Data found on second-hand PCs included names, addresses and photos; staff budgets and payroll schedules including names and salary details, bank account standing order payments and receipts. Patients and customers, as well as businesses, face hefty financial consequences when their personal data security is breached, as well as having to deal with the expensive and time-consuming process of safeguarding or restoring finances and credit ratings.

What can be done internally?
Thankfully, there are a few simple internal steps that can be taken by organisations to reduce the risk of data breaches occurring. Measures include ensuring all unwanted documents, CDs and DVDs are being properly shredded, wiping clean the information held on old computers before disposing of them, and regularly changing network as well as PC passwords. However, leaving shredding to individuals can compromise security as the document is not always thoroughly destroyed and can often be pieced together.

Moreover, it has been known for fraud to be committed as an ‘inside job’ by staff or ex-employee, so confidential waste must therefore be handled by reliable information destruction companies, and placed in a lockable bin with a paper slot or a tamper-proof coded sack. An information destruction supplier should be able to provide sacks that cannot be tampered with and bins to match your office furniture that can only be accessed by key. To provide further protection, each collection and sack should contain a unique code so that customers can access a full audit trail of their paper once it has left the building.

The role of european standards
Compliance to European standards such as EN15713 is a basic thing to look for in prospective information destruction providers. Only by using a compliant information destruction company will customers be able to rest assured that their confidential material is in safe hands. The BSIA was at the forefront of developing this standard, and BSIA members were among the first to work to it.

The EN15713 standard requires that material is destroyed to specific shred sizes, that providers should install a monitored intruder alarm and CCTV systems to protect the data while on their premises, security vetting of all staff members, and the security of collection vehicles and on-site data destruction vehicles and machinery.

New era of data destruction
When selecting a data destruction provider, procurers should also ensure that suppliers have procedures in place to safeguard data throughout its whole life cycle.
Despite the economic downturn, environmental issues and corporate social responsibility remain high on the national business agenda, while cost savings within the public sector are of particular importance. Recycling plays a huge part in delivering both of these priorities, and plays an essential part in demonstrating an organisation’s green credentials.

A new scheme, pioneered by a BSIA member, ensures compliance with data protection regulation while implementing sustainable waste management services that can result in multiple business benefits, not least significant cost savings. The scheme, known as ‘closed loop recycling’, ensures ultimate data security by returning recycled paper back to the client after processing.

Closed loop recycling works like this: the information destruction company collects confidential waste paper from the client, shreds it and bails it. Next, the paper is sent to a collaborating paper mill, where it is recycled and turned into ‘new’ office paper. This is then sold back to the client company at a competitive rate.

The success of the scheme is largely due to the positive cooperation between all parties, and to date 325 tonnes of paper have been shredded and recycled, saving 5,514 trees and helping 729m3 of waste avoid landfill.

Moreover, the client company is granted peace of mind, knowing that its waste is being handled in line with European and UK regulation, and is benefiting from considerable return on investment due to the savings made by buying back the original paper once it has been recycled. More than half of the paper used by the client firm’s 2,500 partners and staff in its London office is now in fact recycled paper acquired through this scheme.

Choosing a quality provider
It becomes apparent, therefore, how to avoid making costly mistakes. Health sector organisations should choose a trusted information destruction supplier who will dispose of their data correctly and in accordance with current laws.

Members of the BSIA’s Information Destruction section adhere to strict quality standards, such as EN15713, and are inspected to ISO:9001. 

For more information
www.bsia.co.uk