Setting Data Standards

With identity fraud continuing to threaten our society, institutions of all sizes should take extra precaution when destroying information, regardless of the material. The careless disposal of data often enables criminals to steal identities or conduct fraudulent transactions without anyone noticing. In addition, data breaches carry with them hefty fines and result in significant reductions in consumer confidence. This can be extremely damaging for all kinds of organisations, in particular within the health sector, where patients’ trust is an absolute requisite.

The £70,000 fined to the NHS in April is just the latest in a string of moves that has highlighted a tougher attitude by regulators against companies ineffectively handling their data, or falling victim of breaches.

Confidential data handling
Earlier in the year, a new framework to ensure consistency throughout all EU member states was unveiled by European Justice Commissioner, Viviane Reding. The framework, which applies to all 27 European member states, requires organisations to report any breaches within 24 hours, to employ a Data Protection Officer for any organisation of 250 staff or more and also warns that businesses may be fined up to 2 per cent of turnover for a data breach. Critics of the framework have questioned some of its aspects, including the strict 24 hour cut-off time for data breach notifications. However, the reality is that these changes are asking companies to make an even bigger commitment to their confidential data handling processes, and take responsibility for any shortfalls in their security strategies. 

Research undertaken last year by the BSIA uncovered serious gaps in how data disposal is handled by public and private sector organisations. One worrying statistic is that a third of organisations questioned are still relying on standard municipal waste disposal to deal with even the most sensitive of their information destruction needs, with all the dangers which that entails. Significantly, the same piece of research showed that nearly 19 per cent of organisations had been a victim of serious data fraud. Where such data breaches occurred it was noted by the respondents that half of these involved paper, and the rest were related to computer hard-drives. This demonstrated that, even in a world where cyber threats are continuously increasing, paying attention to the way physical material such as paper, storage devices and branded goods, are destroyed is still a crucial aspect of security.

Adhering to the standard
Given the potential for breaches and the essential task they perform, any company bidding for information destruction work should, as a prerequisite, be able to provide conclusive proof that they adhere to a strict code of ethics and satisfy the provisions laid out in the pivotal European Standard EN 15713. The standard provides information destruction companies with recommendations for the management and control of collection, transportation, destruction of confidential material and recycling to ensure such material is disposed of securely and safely.

This is particularly essential in a sector where the sensitive nature of the documents and materials dealt with - including patient records ranging from demographic data such as age, occupation and race to addresses and contact details, health condition and financial details - require the tightest of procedures in order to ensure maximum security for the information held.

As revealed by the same research carried out last year by the BSIA, only 50 per cent of facilities managers who have taken the step to outsource data disposal knew whether their provider actually complied with EN15713. This is concerning, as the BSIA believes it should be the first question asked of any secure waste disposal business by a prospective customer.

Further information
The BSIA’s Information Destruction section played an active part in the development of EN15713, and to help educate end-users on its importance, the Association launched earlier in the year a one-page easy-to-understand informational leaflet providing its key points of consideration. This be downloaded from the BSIA’s Information Destruction Guidance website. To find out more visit www.bsia.co.uk