Document Destruction: Sweeping Responsibility under the Rug
Document Destruction: Sweeping Responsibility under the Rug
Month Date, 2008: For the lucky few organisations, the destruction of documents is already a well maintained and streamlined process, with a full understanding of the risks of removing data without proper destruction methods. The majority of Australian organisations however, have been sleeping on the idea, letting it drift to the far reaches of the corporate mind and are only now waking up to the fact that a full scale privacy review is about to land and could change the face of privacy legislation for good.
In the digital age when your inbox receives far more daily correspondence than the mailbox at the front door, it’s still surprising just how much paper we generate and rely on every day. The fax machine industry is still thriving while print companies still have a license to print money, this of course leads to an abundance of information records being produced and something must be done with them.
Information managers the world over can rattle off several different filing methods and ways to alleviate archival issues, but ask the question of document destruction and you’ll get blank stares from those in the southern hemisphere. The countries north of the equator have for many years been knee deep in document destruction legislation, knowing all too well about the approved methods of disposing of important files, especially those filled to the brim with personal information.
Australia can’t blame the distance from the world’s dividing line for our lack of document destruction legislation, but rather the lack of a major Government review of the privacy act since 1988. Despite the almost non-existent possibility that this was done because everyone enjoys a good 20 year reunion, the privacy review began last year is drawing to a close with the hotly anticipated results due at the end of March.
“This review is the first one since 1988, if you look at the change in technology in the last 20 years then you can see how overdue it is,” said Graeme Holland, founding member of the National Association for Information Destruction (NAID).
NAID has made a submission to the privacy report and has since had two meetings with the privacy commissioner; a third meeting is scheduled for the end of March. Holland believes that the new Government probably has numerous things to consider with privacy, so office records are only one piece of a larger picture. The importance of this piece of the privacy puzzle shouldn’t be understated though, especially when there’s so much at stake.
The repercussions of poor document destruction policies can be devastating and come from a wide variety of channels. Holland explains that many companies fail to understand the risks and could end up with brand reputation damage from sensitive documents being leaked to the public. The industry has coined the term ‘dumpster-diving’ for the identity thieves who trawl through landfill sites in search of documents that will give them a bountiful harvest of personal details to sell off.
“Prevention is far better than cure, anyone who’s had their credit card details duplicated would understand that even if you have the funds restored, the painful cost of time to rectify the problem,” said Holland.
Where did my details go?
The value of personal information has risen dramatically in the last couple of years, particularly with the rise of credit card fraud and the increasing sophistication of criminals. One of the glaring areas where this has become most apparent is with electronic records, especially when dealing with discarded e-waste. Whether it is old computers, laptops, PDA’s or even mobile phones, organisations are often throwing out unsecured records which they never intended to release.
The most common example of e-waste leading to data loss is through hard drives, which are often carelessly tossed out intact with only their connector cables removed. The average identity thief can make short work of a hard drive, even one where the files have been deleted, thanks to the sophistication of file restore software.
Holland explains that on average most organisations don’t have a policy or even a checklist in place for the secure destruction of documents. This has lead to extensive data losses, which many organisations aren’t publicising for obvious reasons and are trying to keep quiet as much as possible. In the long run this kind of approach is only worsening the matter and organisations are starting to look towards making their first foray into secure document destruction.
“The first place organisations need to start is to really look at their internal policies and examine the entire lifecycle of waste management to secure all records and develop a chain of custody,” said Holland.
One of the other pitfalls Holland thinks organisations should watch out for is the actual practices employed by third party services. While most organisations will look towards outsourcing document destruction, they need to be careful that the companies they use are employing secure methods.
“Organisations need to look out for companies who aren’t employing NAID certified methods, as many services aren’t even shredding the documents they’re supposed to be destroying. Often they will shred for a large financial institution like a bank, but they won’t shred documents for Joe Blogs because again there is no chain of custody”
According to Holland there are around 40 companies advertising document destruction services in each state, with only about 4 of these providing their own shredding. While we could be a long way off from having legal requirements forcing organisations to have locked waste paper baskets parked next to all the office machinery, it shouldn’t be that far fetched to think those that do are being taken away to secure shredding facilities.
“There are other problem areas, for instance if you look at SME’s then it’s not uncommon for documents to be taken home and put in your standard domestic recycling bin, this will then go through several checkpoints which are completely unsecured and each one could jeopardise the organisation,” explained Holland.
Theo St.James, Principal and Founder of the National Document Shredding Service explains that organisations shouldn’t be concerned about what they can get rid of as the standard 7 year rule allows for anything to be put through the steel teeth.
“The security act of 2000 says that documents with sensitive personal information must be destroyed in a proper, efficient manner,” continued St.James. “This area is more important than people realise, there is $10 billion worth of identity theft each year, people are dumpster diving and recovering abandoned hard drives all the time.”
According to St.James, any company that’s listed in the yellow pages needs to be preparing a document destruction policy, “flick it open to any page and put a pin anywhere and you will see a company who needs to be doing it” he said.