Members of the British Security Industry Association’s (BSIA) Information Destruction section are reminding organisations of their obligations under the Data Protection Act and the importance of secure data shredding. This warning comes following last week’s allegations that a Scotland Yard intelligence unit shredded a large number of files relating to the Pitchford public inquiry.
The Independent Police Complaints Commission (IPCC) announced on Wednesday (8th February 2017) that it was investigating claims that documents had been shredded despite a specific instruction to preserve the files.
Whilst the investigation is ongoing, it has highlighted the clear need for organisations to ensure that they have up-to-date governance policies and procedures that effectively control when and how items should be destroyed. There is also a need for a responsible person within an organisation to have an understanding of the Data Protection Act and their own company’s corporate governance requirements to ensure that the collection, retention and disposal of confidential data is done correctly.
Don Robins, Chairman of the BSIA’s Information Destruction section, comments: “When it comes to the disposal of documents or data, it is the loss of confidential information that most organisations fear as this can lead to significant financial or reputational loss. Where there is a requirement to shred data, the destruction should be signed off by a person within the organisation who has the authority to do so. Materials shredded correctly are not recoverable - in our industry, destroyed means destroyed.
“If the destruction is outsourced, organisations should ensure that they only entrust the work to quality, professional destruction service providers,” adds Don.
The BSIA recommends that when selecting an information destruction service provider, steps are taken to ensure that the provider will protect data until it has been safely destroyed. This includes making sure that the provider uses security cleared personnel, has clear and secure procedures from collection through to destruction and that they can provide a certificate of destruction.
A reputable supplier will also comply with the essential European standard BS EN 15713:2009 for security shredding, as well as BS 7858 for staff vetting. These standards ensure that the companies providing data destruction services are doing so in a secure manner which provides maximum security for your information.
Don adds: “Organisations should also be asking for references from their supplier and making sure that they know who the actual destruction service provider is. Check that they are members of a professional trade body – such as the BSIA – and draw up a contract with explicit requirements”.