The results of an extremely thorough study – designed to coincide with the BSIA’s appearance at United Business Media-run event Total Workplace Management (TWM) – underline the fact that, despite widely reported data breaches and numerous cases of identity fraud, there remains a serious laxity in how data disposal is handled by both public and private sector organisations across the UK.
A particularly worrying statistic to emerge from the study is that one third of organisations questioned are still reliant on standard municipal waste disposal procedures to deal with even the most sensitive of their information destruction needs. To say they’re courting danger in doing so would be to substantially understate the point.
Equally significant, the BSIA Information Destruction (ID) Section-commissioned research highlights that nigh on 20% of organisations have, at some point, been the victim of serious data fraud.
Where such data breaches occurred, it was noted by the survey respondents that half of these security incidents involved paper – in turn demonstrating the need for effective shredding practices – while the remainder related to computer hard drives.
The loss of data from the latter is perhaps not surprising given the number of national news headline-grabbing cases in recent years concerning breaches of confidential patient information and customer details, not to mention the sheer quantity of information now stored by way of this method.
In terms of how respondents view the threat posed by the loss of confidential information to their organisations, 79% of those who completed the survey suggested that, over the past 12 months, the danger had either increased or remained the same.
What this shows is that there’s absolutely no room for complacency where information destruction Best Practice is concerned.
‘Sticking plaster’ approach “not good enough”
Speaking to SMT Online at the TWM event (held last week at London’s Olympia exhibition venue), Russell Harris – chairman of the BSIA’s ID Section – explained: “Our research highlights the fact that much more needs to be done by organisations to protect themselves against the threat of data breaches as well as the potential for the loss of commercially sensitive information, or details which could otherwise lead to identify fraud.”
Tellingly, Harris continued: “A ‘sticking plaster’ approach is simply not good enough.”
He added: “What’s more, we also need to ensure that organisations understand the sanctions which may be imposed upon them – including substantial fines – if they don’t comply with the requirements of the Data Protection Act.”
Worryingly, this latest research pinpoints that only 50% of the organisations questioned are actually using a professional company to oversee the destruction of their confidential data: a somewhat surprising revelation given the risks involved with not doing so.
Even more concerning is that, within this number, only 50% of those who’ve decided to outsource their data disposal actually know whether their service provider is fully compliant with the pivotal European Standard EN 15713.
Crucially, the BSIA’s ID Section believes that this should be one of the first questions asked of any secure waste disposal business by a prospective customer.
“For information destruction, as the survey shows paper has to remain a key focus,” continued Harris. “Without the right management systems in place, important documents can so easily be discarded with less sensitive waste, leaving it open for criminal elements to find and use. Also, computer-related equipment may be problematic if not handled correctly. There may be tens of thousands of confidential records on a single hard drive.”
It appears that too many purchasers of information destruction services are still buying on price and not asking any questions about standards or the necessary Best Practice features that must play a part in the solutions providers’ remit.
On a more positive note, Harris is encouraged by the fact that a number of organisations are indeed now turning towards professional information destruction providers for assistance, but even then there’s still an important caveat to bear in mind.
“Not only should more companies be following the lead taken by these organisations [a 50% take-up still leaves a serious gap in provision], but it’s also imperative that when doing so they ensure such companies are working to Best Practice standards. EN 15713 is one of those standards.”
The survey also sought to discover exactly who within organisations is directly responsible for compliance in relation to, for example, the Data Protection Act. In around 38% of cases it’s the IT manager taking the lead, followed by the managing director (on 19%) and the facilities manager (at 16%).
In 2010, it was widely reported – on SMT Online and elsewhere – about the changes made to enforcement powers administered by the Information Commissioner’s Office (ICO), and in particular its ability to bestow penalty fines of up to GB pound 500,000 upon those who breach Data Protection Act obligations.
Nonetheless, of those questioned less than 40% were aware of this development. In tandem, there are many who say the fines that may be imposed are still at way too low a level to act as a meaningful deterrent.
Government minister forced to apologise
Last Friday morning, Government minister Oliver Letwin – who’s presently tasked with developing policies within the Cabinet Office – had to apologise for disposing of parliamentary papers (among them constituents’ letters) in a public bin.
The Daily Mirror reported that Letwin had thrown out more than 100 papers. The Tory minister and MP for West Dorset subsequently informed the BBC he hadn’t disposed of Government or classified papers, but that would be to miss the point entirely.
The point is that members of the public take their lead from those who govern us and are in positions of power. They set the benchmark and, in parallel, must practice what they preach – and be seen to be doing so – and in particular where the subject of security is concerned.
In all honesty, Letwin’s actions represent a serious faux pas in an age where identity theft is now one of the biggest and most serious problems facing the authorities. Indeed, it’s an issue that costs the UK no less than GB pound 1.7 billion per annum.
Downing Street was swift to issue a statement about the incident, claiming that Letwin’s methods are “clearly not a sensible way to dispose of documents”. Indeed so. For its part, the Labour Party has, not surprisingly, asked for an inquiry.
“The news splashed across the media on Friday that a Government minister was photographed putting sensitive documents into a bin in a London park once again serves to illustrate the need for everyone to take great care in the way that they dispose of data in both their private and working lives,” explained Russell Harris.
“The reality is that once information falls into the wrong hands, and there are plenty of criminals out there who will engage in activities such as data fraud, there can really be little control exercised over how it’s ultimately used.”
Decade at the forefront of secure information destruction
The BSIA’s ID Section celebrated its tenth anniversary during the TWM exhibition.
The ID Section remains very much at the forefront of Best Practice and industry standards when it comes to the handling and disposal of confidential waste. The work of its members ties in with the specific obligations of organisations of all types and sizes under the Data Protection Act.
Today, this division of the BSIA numbers 40 member companies who, between them, are responsible for safely – and securely – destroying in excess of 300,000 tonnes of confidential waste each year.
To put this into perspective, the waste processed by BSIA ID Section companies is equivalent in weight to 15 of the Royal Navy’s Invincible class aircraft carriers.
The type of sensitive waste being disposed of is extremely varied. It includes paper, DVDs and IT equipment such as computer hard drives and related media.
Alongside this, the Section’s members are also responsible for destroying items that could – potentially, at least – be problematic should they fall into the wrong hands (for instance, branded products and uniforms deemed surplus to requirements).
To underline the professional approach BSIA ID Section members take to the way in which they do business, and information destruction in particular, all members must adhere to a strict code of ethics and comply with security requirements set out in EN 15713 (including site security, material specific shred sizes, recording the destruction process and the vetting of staff to BS 7858).
In addition, all BSIA companies are required to be ISO 9001:2008 accredited.
The selection of an appropriate information destruction provider is undoubtedly a critical issue for organisations given the fact that identity fraud alone is estimated to cost the UK economy GB pound 1.7 billion on an annual basis.
Not surprisingly, the BSIA’s ID Section advises that “great care” should be taken in this area. Unfortunately – and as the survey produced for TWM shows – far too high a number of organisations who’ve outsourced their information destruction requirements have suffered at the hands of unscrupulous providers.
Typically, they only find out at a later date – by which time sensitive data has already been exposed – that hard drives they thought were wiped or documents they believed to have been shredded had not been processed professionally but simply sold on, dumped with normal municipal waste or disposed of through fly-tipping.
Yesterday’s challenges still in evidence today
“We’re delighted to have reached the major milestone of ten years since the formation of the ID Section,” stated Harris.
“Sadly, the challenges of secure information destruction evident back in 2001 have not gone away. Given the exponential growth in the type and format of confidential information which needs to be disposed of, the imperative of adopting a Best Practice approach to avoid data falling into the wrong hands – and to ensure compliance with measures like the Data Protection Act – has never been greater.”
The good news is that awareness levels of the need for vigilance are at an all-time high in light of a number of widely reported data breaches, the NHS and the financial services sector most notably in the spotlight given the personal nature of the data they hold.
“For our part,” outlined Harris, “all BSIA ID Section members have to meet rigorous criteria in order to join. We also offer guidance on the selection of Information Destruction providers and, earlier this year, hosted a key breakfast briefing for senior Trade Association staff on the issue. In June we held our second Information Destruction Exhibition and Conference in Birmingham.”
At a wider environmental level, BSIA ID Section members are playing a pioneering role in implementing sustainable waste management strategies. One award-winning scheme run by a member company – and involving closed loop recycling and information destruction – has so far resulted in 325 tonnes of paper being shredded and recycled, 5,514 trees saved and 729 m3 of waste destined for landfill avoided.
Fast facts: the cost of inadequate data management and destruction
The penalties for organisations that fail to take effective measures are increasing. The Information Commissioner’s Office can now issue fines of up to GB pound 500,000 to any business operations found to be non-compliant with the Data Protection Act.
The public sector remains one of the biggest offenders. A study by the ICO published in the summer of 2010 showed that the NHS has topped the list for the loss of personal data since November 2007. That’s not a record to be proud of in any way, shape or form.
It was reported in May 2009 that researchers from BT and the University of Glamorgan who bought 300 second-hand computer hard drives in America, the UK, Germany, France and Australia found that 34% still contained sensitive data.
In the worst examples highlighted at the time, one hard drive contained confidential patent information from a Scottish hospital, including medical records, x-ray details and letters which could be accessed through standard recovery techniques.
On another hard drive, researchers discovered details of a classified US missile defence programme.
The implications of carelessly handling and disposing of data can be enormous, particularly given the potential number of data sets that may be involved.
Average cost of a data breach
According to an annual UK study sponsored by data protection firm PGP Corporation, last year the average cost of a data breach reached GB pound 1.9 million on the back of having risen for three successive years. The cost of each individual record lost was an average of GB pound 71, representing a 13% increase year-on-year.
In light of the extent of the problem, it’s perhaps not surprising that there’s widespread concern over the handling of sensitive data. This was underlined by an ICO survey which found that 94% of the general public selected protecting personal information as one of their main concerns. That’s on a par with preventing crime and ahead of the NHS (at 88%) and national security (87%).
For further information on the BSIA’s ID Section click here