Confidential data destruction and the Data Protection Act

James Kelly, chief executive of the British Security Industry Association, discusses the importance of secure data destruction for public sector organisations to comply with the Data Protection Act’s seventh principle.

Breaching the Data Protection Act carries severe consequences and can lead to heavy monetary fines or even prosecution. For organisations in the public sector, these consequences can be even further reaching, with a breach of the Data Protection Act posing a huge risk to organisational reputation and further pressure on already strained resources.

Unfortunately, you don’t have to look too far to find examples of where public sector organisations have fallen short of their obligations under the Data Protection Act. Indeed, a simple search on the Information Commissioner’s Office’s website shows that public sector organisations have been fined in excess of half a million pounds since January 2016 alone.

These fines have been handed out for a variety of misconducts that have led to a breach of the Data Protection Act. Under the Data Protection Act 1998, everyone responsible for using data has to follow the data protection principles. These include: ensuring that data is used fairly and lawfully; for limited, specifically stated purposes; used in a way that is adequate, relevant and not excessive; accurate; kept for no longer than is absolutely necessary; handled according to people’s data protection rights; kept safe and secure; and is not transferred outside the European Economic Area without adequate protection. Failing to abide by these principles can put a person’s information at risk which can lead to identity theft and fraudulent activity. Therefore, it is vitally important that businesses of all sizes – that use data – understand their obligations under the Data Protection Act.

The seventh principle of the Data Protection Act stipulates that a business must take appropriate measures against accidental loss, destruction or damage to personal data and against unlawful processing of the data. To fully comply with the Data Protection Act, a handler must have a written contract with a company capable of handling confidential waste, which can provide a guarantee that all aspects of collection and destruction are carried out in a secure and compliant manner. To ensure this, suppliers should comply with European Standard BS EN 15713:2009 for security shredding and also BS 7858 for staff vetting.

Case study
One such example, where a public sector organisation breached the Data Protection Act for not taking the appropriate level of care when disposing of data, occurred in 2013. The now disbanded NHS Surrey moved away from its approved information destruction supplier and handed over old computers to a new service provider, without ensuring that the thousands of patient records they contained had been deleted. Subsequently, the computers were sold via an online auction site, causing the ICO to levy a hefty £200,000 fine against the NHS Trust in question.

At the time, the British Security Industry Association (BSIA) conducted a survey of healthcare professionals, which identified a number of issues and trends associated with the secure destruction of information, whether held on paper or data processing related media. Interestingly, 27 per cent of those completing the survey were aware of a significant data loss incident in their organisation. Of these, two-thirds said that the data breach was a direct result of incorrect disposal whilst, worryingly, another third attributed the loss to the action of criminals, such as theft.

The importance of EN 15713 BS EN 15713:2009 should be a crucial requirement for organisations of all types and sizes, as it provides recommendations for the management and control of collection, transportation and destruction of confidential material and recycling to ensure such material is disposed of securely and safely. The BSIA’s Information Destruction section was a key player in the development of EN 15713 and helped to provide specifications on how the processes should be handled within the secure data destruction industry.

Adam Chandler, chairman of the BSIA’s Information Destruction section, believes that it is important for end-users in the public sector to have an understanding of the various elements of EN 15713 in order to make informed procurement decisions and ensure that they meet the requirements of the seventh principle of the Data Protection Act.

Chandler explains: “Essentially, EN 15713 ensures that companies providing data destruction services are doing so in a secure manner which provides maximum security for end-users’ information. The standard covers a number of key aspects of a data destruction service, from premises to personnel and a company providing data destruction services will need to meet these requirements to comply with the standard.

“The standard requires that premises used for confidential data destruction must have an administration office where the necessary records and documentation is kept for conducting business, which should be isolated from other business or activities on the same site. An intruder alarm installed to EN 50131-1 and monitored by an Alarm Receiving Centre should be present and the premises should also have a CCTV system with recording facilities monitoring the unloading, storage and processing areas. CCTV images should be retained for a minimum of 31 days unless otherwise agreed with the client.

“A written contract covering all transactions should exist between the client and the supplier and any sub‑contracted work should only be allocated to other companies compliant with EN 15713. The client should be made aware if any sub-contractors are used. All staff should be screened in accordance with BS 7858 – Security screening of individuals employed in a security environment Code of Practice – and should sign a deed of confidentiality prior to employment.

“Confidential material should remain protected from unauthorised access from the point of collection to complete destruction and should only be collected by uniformed and suitably trained staff carrying photographic identification.

The destruction of confidential material should take place within one working day from arrival at the destruction centre, where shredding is taking place away from a customers’ site.

There are also a number of requirements relating to the use of vehicles for the collection and transportation of confidential material, or the destruction of confidential material on a customer’s site. These include the ability to communicate via radio or telephone to the home base, the ability to be closed and locked or sealed during transit and the ability to be immobilised or alarmed when left unattended.”

Procurement and guidance
The BSIA’s Information Destruction section has produced a comprehensive, step‑by‑step guide to help end-users to navigate and understand EN 15713, which provides a full list of the requirements which information destruction companies should meet to be compliant with the standard. This guide also offers some additional recommendations on other areas of best practice which aren’t requirements under EN 15713, to help end-users make informed decisions when it comes to procuring or renewing information destruction services.

Using the information provided in this guide, along with the range of other publications published by the BSIA’s Information Destruction service – which includes a guide to the Data Protection Act for end-users and
a guide to information destruction in the public sector, can help businesses to understand their obligations to good data management.

Businesses can also find a range of information to help them comply with the Data Protection Act on the Information Commissioner’s website
(www.ico.org.uk), including the recently launched SME Self‑Assessment Tool. Launched in early February, the tool helps small and medium sized organisations to assess their compliance with the Data Protection Act and was welcomed by the BSIA’s Information Destruction section.

Chandler commented: “The self-assessment tool provides SMEs with a fantastic opportunity to ensure that they comply with the Data Protection Act. Compliance will help to reduce reputational risk and ensure that directors are not faced with fines or prison sentences for non-compliance.

“Users can take part in a comprehensive assessment covering all areas of the Act, or alternatively, break the assessment down into separate checklists tailored to their particular needs and risks. If you have concerns about your current confidential information destruction procedures, a good place to start is with some of the freely available information published by the BSIA’s Information Destruction section or to consult one of our members who would be happy to offer you guidance.”

The BSIA’s Information Destruction section consists of companies that securely destroy a range of confidential information, including paper, DVDs, computer hard-drives and other items that could potentially cause problems if they fell into the wrong hands, such as branded products and uniforms.

All members of the BSIA’s Information Destruction section are compliant with EN 15713 as part of their ISO 9001:2008 inspection and are committed to promoting best practice within the industry.

Further Information
www.bsia.co.uk