With an endless list of competing priorities, information destruction in the education sector can often fall by the wayside. However, careless disposal of confidential information can have severe repercussions if data falls into the wrong hands, writes the British Security Industry Association’s James Kelly
New figures published by Cifas have revealed that identity fraud is on the rise. The statistics have been collected from 277 banks and businesses and show almost 173,000 recorded frauds in 2016, the highest level to date.
As organisations that collect and retain personal information, schools have an important role to play in preventing identity theft. Student and staff records, as well as financial data, pose an attractive target for criminals who can use this information to their advantage. The repercussions for the individuals involved can be severe and can include financial loss, credit issues, benefit losses, legal problems and stress.
Worryingly, not all schools are aware of – or do not place enough importance on – the security of their data. Research conducted by the BSIA in order to identify trends within the education sector revealed that some 66 per cent of schools were not using a professional provider to destroy information.
WHY IT’S IMPORTANT
Under the Data Protection Act 1998, everyone responsible for using data has to follow the data protection principles. These include ensuring that data is used fairly and lawfully, for limited, specifically stated purposes; used in a way that is adequate, relevant and not excessive; accurate; kept for no longer that is absolutely necessary; handled according to people’s data protection rights; kept safe and secure; and is not transferred outside the European Economic Area without adequate protection.
Failing to abide by these principles can put a person’s information at risk which can lead to identity theft and fraudulent activity.
The seventh principle of the Data Protection Act stipulates that an organisation must take appropriate measures against accidental loss, destruction or damage to personal data and against unlawful processing of the data.
To fully comply with the Data Protection Act, a handler must have a written contract with a company capable of handling confidential waste, which can provide a guarantee that all aspects of collection and destruction are carried out in a secure and compliant manner. To ensure this, suppliers should comply with European Standard BS EN 15713:2009 for security shredding and also BS 7858 for staff vetting.
Failing to comply with the Data Protection Act could result in large financial penalties being imposed on the school by the Information Commissioner, huge reputational damage and even prison sentences for those found culpable.
THE IMPORTANCE OF EN 15713
“Schools need to safeguard the individuals that they hold data on by ensuring that documents are shredded by a reputable data destruction company. The same caution must also be taken with computer or laptop hard drives and any other items which could be used to identify or impersonate individuals,” comments Don Robins, chairman of the BSIA’s Information Destruction Section.
“Information destruction is vital to prevent identity fraud, therefore, if you don’t have the expertise, don’t take the risk,” adds Don.
An essential element of choosing an information destruction company is ensuring that they comply with BS EN 15713:2009, which is a crucial requirement for organisations of all types and sizes, as it provides recommendations for the management and control of collection, transportation and destruction of confidential material and recycling to ensure such material is disposed of securely and safely.
The BSIA’s Information Destruction section was a key player in the development of EN 15713 and helped to provide specifications on how the processes should be handled within the secure data destruction industry.
Essentially, EN 15713 ensures that companies providing data destruction services are doing so in a secure manner which provides maximum security for end-users’ information. The standard covers a number of key aspects of a data destruction service, from premises to personnel and a company providing data destruction services will need to meet these requirements to comply with the standard.
The standard requires that premises used for confidential data destruction must have an administration office where the necessary records and documentation is kept for conducting business, which should be isolated from other business or activities on the same site.
An intruder alarm installed to EN 50131-1 and monitored by an Alarm Receiving
Centre should be present and the premises should also have a CCTV system with recording facilities monitoring the unloading, storage and processing areas. CCTV images should be retained for a minimum of 31 days unless otherwise agreed with the client.
A written contract covering all transactions should exist between the client and the supplier and any sub-contracted work should only be allocated to other companies compliant with EN 15713. The client should be made aware if any sub-contractors are used. All staff should be screened in accordance with BS 7858 – security screening of individuals employed in a security environment code of practice – and should sign a deed of confidentiality prior to employment.
Confidential material should remain protected from unauthorised access from the point of collection to complete destruction and should only be collected by uniformed and suitably trained staff carrying photographic identification. The destruction of confidential material should take place within one working day from arrival at the destruction centre, where shredding is taking place away from a customers’ site.
There are also a number of requirements relating to the use of vehicles for the collection and transportation of confidential material, or the destruction of confidential material on a customers’ site. These include the ability to communicate via radio or telephone to the home base, the ability to be closed and locked or sealed during transit and the ability to be immobilised or alarmed when left unattended.
PROCUREMENT AND GUIDANCE
The BSIA’s Information Destruction section has produced a comprehensive, step-by-step guide to help end-users navigate and understand EN 15713, which provides a full list of the requirements which information destruction companies should meet to be compliant with the standard. The guide also offers some additional recommendations on other areas of best practice which aren’t requirements under EN 15713, to help end-users to make informed decisions when it comes to procuring or renewing information destruction services.
Using the information provided in this guide, along with the range of other publications published by the BSIA’s Information Destruction section – which includes a guide to the Data Protection Act for end‑users – can help schools understand their obligations to good data management. The freely available information published by the section can help schools that may have concerns about their current confidential information destruction procedures.
Schools can also find a range of information to help them comply with the Data Protection Act on the Information Commissioner’s website (www.ico.org.uk).
The BSIA’s Information Destruction section consists of companies that securely destroy a range of confidential information, including paper, DVDs, computer hard drives and other items that could potentially cause problems if they fell into the wrong hands, such as branded products and uniforms.
All members of the BSIA’s Information Destruction section are compliant with EN 15713 as part of their ISO 9001:2008 inspection and are committed to promoting best practice within the industry.