Insufficient data disposal can destruct more than reputations

At a time when sufficient information destruction is of the utmost importance, according to a BBC report earlier this year, identity fraud more than doubled in value to £26.3 million last year, with counterfeit goods’ fraud coming in at a five-year high. While this rise in risk of fraud is predominantly faced by British businesses, schools should be taking precautionary measures to ensure that the education sector does not see a similar rise.

The research also suggested that insider fraud was to blame for more than 80 per cent of fraud-related financial losses in 2012, highlighting the importance of secure data management and destruction in avoiding financial and reputational losses.

Time and inconvenience
Speaking about the revealing research, Anthony Pearlgood, chairman of British Security Industry Association (BSIA)’s information destruction section, commented: “It’s important to remember that if confidential information does fall into the wrong hands, it not only causes problems for certain individuals or businesses but there is also the time and inconvenience involved in contacting the authorities and sorting out paperwork once a security breach has occurred. Moreover, as this research shows, data breaches often occur from inside an organisation, meaning it is extremely important that staff are adequately vetted before gaining access to sensitive information.

“Only a fraction of organisational waste paper and data-processing products, such 
as hard drives, CDs, memory sticks and 
DVDs are destroyed annually by professional firms,” Pearlgood added. “By far, the majority of such material continues to be disposed of through means of municipal refuse collection or waste paper reprocessing.

Avoidable risk
“Neither method generally involves any kind of secure handling. However, it is not uncommon to find much confidential data included amongst general waste, becoming 
a significant cause of avoidable risk,” Pearlgood continued. “It is not surprising in these circumstances that the rubbish bin is E
F a regular source of prosecutions under the Data Protection Act, just as it has long been a core element of the private detective’s trade.”

Although these figures do relate to businesses, it does not mean they are any less relevant to educational establishments and, coupled with the startling statistics revealed by BSIA research last year, the education sector should be prioritising information destruction as part of their security strategies.

Negligent attitudes
A BSIA survey of head teachers, deputy heads, teaching staff, bursars and administrators from nearly 100 schools across the UK last year proved concerning, with attitudes to sensitive disposal appearing somewhat negligent.

One-third of those answering the school survey reported that they had not received training or guidance regarding data protection issues, while 79 per cent also felt that the threat posed by lost or inadequately disposed of data had either increased or stayed the same over the previous year.

Worryingly, only 34 per cent of responses confirmed that they used a professional information destruction company; the remaining 66 per cent either did not use one or were unsure of whether they did.

Discussing the findings and statistics, 
BSIA’s Anthony Pearlgood felt that “the 
results of this survey serve to underline the fact that educational establishments need 
to place a renewed focus on how they deal with information destruction.”

He continued, “Given the repercussions when things go wrong, it is imperative that this process is handled in a professional manner and, where it is being outsourced, 
that searching questions are asked to ensure that any provider is actually working to the pivotal EN15713 standard.”

Committed to data protection
Careless disposal of student and staff records, or financial documents, can be detrimental to an establishment. And, if placed in the wrong hands, opportunists can find ways of using the information to their advantage. Consequently, it would not just be the immediate repercussions that a school would face if 
their data security had been breached.

Non-secure disposal of data can also lead to long-term damage to a school’s reputation, painting it in an inevitable negative light. Therefore, it is a key responsibility for educational establishments to enlist a professional and trusted provider to dispose 
of this kind of information.

Penalty fines
Since the Data Protection Act of 1998, which aims to balance the rights of the individuals and organisations who are legitimately holding and using their information, proficient information destruction procedures carry great importance to all kinds of institutions. The government particularly recognises the significance of this responsibility and in 2010 the Information Commissioner’s Office was given additional enforcement powers resulting in them being able to issue penalty fines of up to £500,000 in the case of a data breach.

Information destruction itself ensures the secure disposal of information in all of its different forms. This ranges from paper, credit cards, SIM cards and media equipment with important information on, such as CDs, DVDs, hard disks and hard drives. It also includes the destruction of branded products like uniforms, which, if retrieved by the wrong person, could pose a great risk to a school. All of these types of confidential materials are then destroyed, either on-site or off‑site, to the extent that they may never be reconstructed. The customer should then be provided with a full audit trail, which includes a certification of destruction.

Meeting the standards
Many professionals who are responsible for securing information destruction companies may not be aware of the fact that there are particular standards these companies should meet. Such standards guarantee that the service being provided is secure and professional, another essential requirement 
of the Data Protection Act.

One of these standards is the key European standard for information destruction, EN15713. This standard includes a range of requirements that an information destruction company must meet, such as having an administration office on-site where records and documentation are kept for conducting business. The company’s premises should also be isolated from any other business or activities operating on the same site.

In terms of security measures, intruder alarms that are closely monitored by an alarm receiving centre should be installed on the property and CCTV should be placed at the points where the unloading, storage and processing of information is conducted. The vehicles that transport the information due to be destroyed should also be fully secure.

A British standard these companies should comply with is BS 8470. This details the secure destruction of information and includes the identification of product specific shredding sizes, guaranteeing that information is destroyed to the point of irreparability.

BSIA information destruction companies 
are inspected to both of these standards, amongst many other important principles, making them reliable service providers.

Sourcing a respectable supplier
When it comes to school security, there is no room for complacency, particularly when it comes to sourcing a reliable information destruction provider. When choosing a BSIA information destruction company, you can 
rest assured that your information is in safe hands, with all BSIA companies complying with the highest standards.

The information destruction section of BSIA is committed to best practice, and all follow a specific code of ethics that solidifies the section’s dedication to providing the best service for their customers. One particular aspect of their code that will be especially important to educational establishments is that of environmental responsibilities.

Today, all kinds of organisations, especially schools, are mindful of their carbon footprint and endeavour to be seen as environmentally responsible. The BSIA’s information destruction section is also particularly conscientious of their environmental responsibilities. A member will, where feasible, recycle material that has been destroyed or shredded. In cases where the end product cannot be recycled, the environmental impact, cost and convenience of other methods of waste disposal (such as incineration) would be taken into account.

In terms of landfill, this method will only be used when no other method of disposable is practicable. Members of BSIA’s information destruction also commit to review all aspects of their business including transport, production, administration and sales in relation to the environment.

Further information
To find out more about BSIA, the trade association covering all aspects of the professional security industry in the UK, visit www.bsia.co.uk. To locate a professional information destruction service near you, visit 
www.bsia.co.uk/information-destruction