The damaging effect of careless data disposal

Key decision makers at educational establishments have a wide variety of responsibilities and when it comes to school security, there are many aspects to consider. Along with securing valuable on‑site equipment, at the forefront of many people’s minds will be the protection of the staff and students themselves. This sort of security extends beyond the direct protection of personnel, and applies to all the data stored within a school containing important information regarding pupils and staff. 

Careless disposal of this kind of information can be detrimental to an establishment and if placed in the wrong hands, opportunists can find ways of using the information to their advantage.

Consequently, it would not just be the immediate repercussions that a school would face if their data security had been breached. Non-secure disposal of data can also lead to long-term damage to a school’s reputation, painting it in an inevitable negative light. Therefore, it is a key responsibility for educational establishments to enlist a professional and trusted provider to dispose of this kind of information.

The Data Protection Act
The Data Protection Act 1998 has ensured that proficient information destruction procedures carry a greater importance to all kinds of institutions. Brought into force in March 2000, replacing the 1984 Act, it aims to balance the rights of the individuals and the organisations who are legitimately holding and using their information. Covered under the act are all personal data including paper and computer records, CDs and disks from which a living person can be identified – most of which can be found inside a school.

Technically, a school is considered to be a ‘data controller’ and must therefore comply with the Act. Consequently, when disposing of personal data an organisation must ensure that it complies with certain obligations under the Act. In terms of security, it is recommended that leaders within an establishment prepare a policy that sets out their commitment to information security. It is also important to ensure that members of staff are fully aware of their responsibilities regarding the security of information, and that they aware that data to be destroyed should not be accessed or used for any other purpose other than that what is required to complete the destruction process.

The Government particularly recognises the significance of this responsibility, and in 2010 the Information Commissioner’s Office (ICO) was given additional enforcement powers resulting in them being able to issue penalty fines of up to £500,000 in the case of a data breach. Simply discarding data is not enough – it must be destroyed securely and by a professional company.

What is information destruction?
Society has become increasingly focused on personal privacy and wider confidentiality, meaning that there is a greater scrutiny of any organisation’s performance in relation to this issue. Perceived shortcomings in this area, as mentioned, can lead to a damaged reputation and a perception that a school – for example – is not concerned with the overall safety of its staff and students. Information destruction companies can advise establishments on these areas and make the necessary arrangements to ensure that information is destroyed properly.

Information destruction itself ensures the secure disposal of information in all of its different forms. This ranges from paper, credit cards, SIM cards and media equipment with important information on such as CDs, DVDS, hard disks, and hard drives. It also includes the destruction of branded products such as uniforms, which imaginably, if retrieved by the wrong person, could pose a great risk to a school. All of these types of confidential materials are then destroyed, either on-site or off-site, to the extent that they may never be reconstructed. The customer should then be provided with a full audit trail, which includes certification of destruction.

Product destruction is the fastest growing sector of the information destruction industry. Each year, BSIA information destruction companies destroy 200,000 tonnes of confidential waste – this includes non-paper material such as IT equipment and audio and videotapes. Through a secure destruction process, the losses through fraud of all types can be significantly reduced. To guarantee a professional service, decision makers must ensure that the company they entrust with their information destruction is reliable and operates to industry standards.

Meeting the standard
Many professionals who are responsible for appointing information destruction companies may not be aware of the fact that there are particular standards these companies should meet. Such standards guarantee that the service being provided is secure and professional, another requirement of the Data Protection Act.

One of these standards is the key European standard for information destruction, EN15713. This standard includes a range of requirements that an information destruction company must meet, such as having an administration office on-site where records and documentation are kept for conducting business. In terms of security measures, intruder alarms that are closely monitored by an Alarm Receiving Centre (ARC) should be installed on the property and CCTV should be placed at the points where the unloading, storage and processing of information is conducted. The vehicles that transport the information due to be destroyed should also be fully secure.

Putting your data destruction needs in the hands of a company that not only complies to EN15713:2009, but has it incorporated into their quality management system ISO 9001 and is inspected against it, is of crucial importance in ensuring the reliability of the services and products provided. Companies who are compliant with these standards have met a certain number of conditions, including: demonstrating that their confidential destruction premises are secured and managed in the appropriate way – avoiding contamination or security breaches, having a clear and accurate process in place to ensure all contracts with clients, suppliers and sub-contractors are up to standard, informing clients wherever sub contractors are used, undergoing staff screening and vetting against British Standard BS7858, and having in place tested, secure and appropriate processes for the collection, retention and destruction of confidential material.

There is also a British standard that these companies should comply with, BS 8470, which includes the identification of product specific shredding sizes, guaranteeing that the information is destroyed to the point of irrepairability. BSIA information destruction companies are inspected to both of these standards, amongst many other important principles, making them reliable service providers.

How aware is the education sector?
In 2012, the BSIA carried out some research on behalf of its Information Destruction section, in order to find out how information destruction is being used and viewed. Part of the research consisted of two separate surveys – one which was received by head teachers, deputy heads, teaching staff, bursars and administrators from nearly 100 schools across the United Kingdom, with the other surveying members of the BSIA’s Information Destruction section.

The information gained from the education survey proved to be somewhat concerning, with attitudes to sensitive data disposal appearing lax. One third of those answering the school survey reported that they had not received training or guidance regarding data protection issues. In addition, 79 per cent also felt that the threat posed by lost or inadequately disposed of data had either increased or stayed the same over the previous year.

Worryingly, only 34 per cent confirmed that they used a professional information destruction company; the remaining 66 per cent either did not use one or were unsure of whether they did. Only half of those who used a professional provider were aware if their operator met with the European standard.

The survey of section members revealed that the education sector is a key market for member companies, with 87 per cent of those surveyed stating that they had supplied a service within this area over the last year. Prior to using a BSIA member, members revealed that in their experiences 43 per cent of cases had used local authorities or general waste as means for disposal, with a mere 14.3 per cent of establishments relying on a provider with a similar quality level to that of BSIA companies.

Both surveys found that the key decision makers in regards to data protection in schools were head teachers and bursars.

Speaking on the results, Anthony Pearlgood, Chairman of the BSIA’s Information Destruction Section, commented: “The results of this survey serve to underline the fact that educational establishments need to place a renewed focus on how they deal with information destruction.

“Given the repercussions when things go wrong it is imperative that this process is handled in a professional manner and, where it is being outsourced, that searching questions are asked to ensure that any provider is actually working to the pivotal EN15713 standard.”

BSIA information destruction members are all inspected to these fundamental standards and can offer their confidential services within the educational sector.

It is vital that schools do not take short cuts when disposing of important information. When choosing a supplier, be sure to research the company efficiently and check that they meet with the standards that will ensure a safe, quality and professional removal service. BSIA members can provide just that.