Follow the paper trail: don't bin it, shred it!
Do you ever wonder what happens to that piece of paper – that meeting agenda with your colleagues’ names on it, that invoice you no longer need, that report that identifies information pertinent to your client’s business – that you put in the waste or recycle bin? If you did, perhaps you’d be more reticent about putting it there rather than somewhere more secure, a locked console for example.
Where do you think that paper goes? One minute it’s in your hands; the next, it’s a shiny new piece of paper, recycled and ready for use? Unfortunately, it doesn’t work like that. In fact, a document discarded in a workstation bin or an open recycling bin is likely to face 50% more ‘touch points’ (opportunities for material to go astray) than one that goes through a secure document disposal process.
When you dispose of material in a wastepaper bin, there is no guarantee where your information could end up. If you're lucky, it'll be buried in landfill or in a recycling plant, never to be seen by human eyes again. If you're unlucky however, it could end up anywhere in the world, forming the basis of a stolen identity, for example, or giving an insider trader something to smile about. Once that document is in the bin, you have lost control of it but one thing that you won’t have lost is your responsibility for that piece of information.
Under the Data Protection Act (DPA), you, as an individual, and your organisation are responsible for confidential information you have gathered in the course of business throughout its life-cycle. And although that piece of paper in the bin may not physically be in your possession for long – but in the hands of thieves – you are still responsible for it.
This could lead to serious repercussions for your business. Try explaining to one of your employees who has just had their identity stolen that you didn’t realise you were doing anything wrong when you discarded a document with their personal details on it. Try telling your client whose new business deal has been picked up by competitors that you didn’t think it would matter if you threw away those meeting notes because you didn't expect that a fraudster would get hold of it. But the simple fact is that they do. Aside from the reputational damage that you could face, there is also a risk that you could get slapped with a hefty fine by the ICO.
Often, data is disposed of in wastepaper or recycling bins because companies don’t have a strong data security policy in place that all employees understand and are aware of. Take some time to ask yourself these questions and see if there’s more you could be doing to protect your confidential information:
- At what point does your confidential information become ‘waste’?
- If your confidential information was ‘waste’, why would anyone want to steal it? Would you be worried if your competitor found it? Would your client?
- What could you be fined for?
- What are your organisation’s internal procedures when it comes to information security (hard and soft copy)?
- Are these documented or enforced and do all employees know about them?
- When was the last time information security procedures were reviewed and independently audited?
- How do existing information security processes prevent sensitive and confidential information from entering the waste stream?
- Are you certain that every employee in every location is fully compliant with the correct security processes? Would they all agree on the same documents being confidential?
- What would the consequences of a data breach be for your organisation?
- Who would be ultimately responsible for a data breach internally?
- How compliant is your organisation with data protection policies, best practice and legislation?
Our guide to information security will help you understanding your information security responsibilities and the consequences of not taking it seriously. Join the conversation with @Shredit_UK