Keeping a watchful eye on data

Information destruction in the education sector can often fall by the wayside in favour of other security priorities in schools, such as the protection of valuable on-site equipment and the security of the staff and students themselves. Careless disposal of student and staff records, or financial documents, can be detrimental to an establishment and if placed in the wrong hands, opportunists can find ways of using the information to their advantage. Here, James Kelly, Chief Executive of the British Security Industry Association (BSIA), discusses the ever increasing importance of secure information destruction.

Why is information destruction important?
As a nation, the UK is becoming increasingly aware of personal privacy, meaning that there is a greater scrutiny over any organisation’s performance in relation to information destruction. A recent example of this was when security was breached at NHS Surrey, after computers containing confidential files were sold on eBay without the hard drives being wiped or destroyed securely. It was one of the biggest security breaches ever witnessed by the now dissolved NHS Surrey, all due to the handing over of old computers to a new service provider who was not compliant with essential standards.
    
Adam Chandler, Chairman of the BSIA’s Information Destruction Section, comments: “Organisations tend to ‘turn a blind eye’ when it comes to selecting an information destruction service provider. The dangers associated with doing this were highlighted perfectly recently, when the Information Commissioner’s Office (ICO) issued a £200k fine to Surrey NHS for engaging with an unapproved supplier who was promising a cut price job for the value of the material they were supposed to be destroying. In this case, it was computer equipment – some of which ended up on eBay.”

While this applies to the healthcare sector, a lesson can still be learnt for all other sectors, highlighting just how crucial selecting a quality information destruction supplier is.
    
Information destruction itself ensures the secure disposal of information in all of its different forms. This varies from paper to media equipment such as CDs and memory sticks. Branded products such as uniforms also need to be discarded as if they are retrieved by the wrong person, they could pose a security threat to an educational institution. These materials should be destroyed either on‑site or off-site, to the extent that they may never be reconstructed. The client is then usually provided with an audit trail and a certification of destruction for their reference.

Worrying statistics
In 2012, the BSIA conducted some research in order to discover trends within the education sector with regards to information destruction. Worryingly, statistics surrounding data protection in education showed that some 66 per cent of schools were not using a professional provider to destroy information.

As demonstrated by the NHS, sourcing an unreliable supplier can have harrowing effects on an establishment’s reputation.
    
Survey results also showed that the most challenging materials for schools to dispose of was paper, closely followed by data processing media such as CDs and DVDs. Out of the 100 schools across the UK who were surveyed, 79 per cent expressed that their biggest concern was the safe disposal of student records. Financial data was some way behind with 11.5 per cent and staff details stated at a mere 5.2 per cent.

There can sometimes be a question mark over who is responsible for ensuring the discarding of confidential documents in educational institutions.

When asked about his experiences with information destruction in the education sector, Anthony Pearlgood, a member of the BSIA’s Information Destruction Section stated that: “Only a small fraction of organisational waste paper and data processing products such as hard drives, CDs, memory sticks and DVDs are destroyed annually by professional firms.
    
“It is important that key decision makers do not make these choices lightly, and are sure to source a reputable supplier that meets the relevant standards,” he added.

What are the standards?
There are particular standards that need to be adhered to by companies that are responsible for information destruction. Such standards guarantee that the service being provided is secure and professional, an essential requirement of the Data Protection Act. Failure to abide by these requirements can result in a hefty fine from the Information Commissioner’s Office.
    
EN15713 is one of the key European standards for information destruction and this includes a range of requirements that an information destruction company must meet to guarantee a reputable service. These standards range from having an administration office on-site where records and documentation are kept, as well as having premises that are isolated from any other business or activities that operate at the same site. Intruder alarms and CCTV should also be present especially in areas where unloading, storage and processing of information is conducted.
    
BSIA information Destruction companies all meet with this essential standard and are also required to comply with BS 8470, a British standard which includes the identification of product specific shredding sizes, guaranteeing that the information is destroyed beyond the point of irreparability. More information about these standards can be found on the BSIA’s website.

Looking ahead
The BSIA’s Information Destruction Section recently appointed Adam Chandler as its new chairman. Looking ahead to the next year, Adam aims to continue the section’s key goal of educating customers on instances when they are most at risk of fraud and how the improper use of confidential information contributes to an increase in identity theft crimes.
    
Discussing his aims for the next year, Adam comments: “The commitment of BSIA members to best practice enables us to help our customers at a time when their businesses are most at risk from fraud.
    
“Almost any kind of personal information is valuable to criminals, whether it is residents’ records, financial reports, payroll information or personnel data.

The unlawful use of such information contributes to an explosion of identity theft crimes and could put the institution, customers, or even suppliers, at risk.”
    
As the new section Chairman, Adam’s first point of call was to review the section’s strategy for the next year. “Like all sections, we are currently reviewing our strategy for the next two/three years and, as always, one of the key issues will be to deliver excellent value for our members and maintain the BSIA Information Destruction Section’s position as the leading association in our sector. As such, we are constantly looking for ways to improve standards and raise our profile,” explains Adam.

Challenges
Whilst the aim is to deliver a quality service, there will always be challenges facing the information destruction sector.
    
“Our members are operating within an extremely competitive market place, where a unique combination of conditions continues to be felt,” he says. “Firstly, the contraction of the market due to the recession resulted in huge declines of ‘paper in’ volumes, and that naturally feeds through to ‘paper out’, which directly affects the market available to our members. Secondly and more than likely related to this decline, the value of recovered fibre peaked a couple of years ago but remained unusually high for an extended period.
    
“Consequently, the temptation of high paper values has attracted service providers into our market that do not necessarily hold all the correct accreditations, along with the systems and processes that impinge on that provider as a result. Of course, in very difficult trading conditions, some organisations might be tempted to ‘turn a blind eye’ when it comes to selecting a service provider in our sector.”
    
As such, key decision makers in educational establishments should be aware of these new developments in the market and ensure that they are absolutely certain that their chosen supplier meets all the correct accreditations.
 
Compliant Providers
Adam is keen to educate organisations on the value of making sure they choose a compliant provider to safely discard of confidential documents. The market is being driven down at the cost of security, meaning companies are happy to take a risky approach to the procurement of data destruction services, even knowing the consequences of a data breach. However, it is absolutely not worth taking a chance on a non-compliant provider for the sake of cost savings. The risk isn’t always worth the reward.
    
Previously the Information Commissioner’s Office has been able to issue penalty fines of up to £500,000 for data breaches; this practice will continue to be implemented as it has proved to be a positive influence on the market, helping to make organisations aware of the importance of secure information destruction. Adam comments: “There has certainly been an increase in the awareness of the necessity to enforce rigorous policies and procedures with regards to processing and destroying confidential data, particularly in the public sector where more of the high profile breaches and fines have occurred.”