When destroying information is the law

It’s been ten years since the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect, stating all businesses must erase or destroy confidential data that is no longer needed. And despite the most recent high profile alarms over data security by international leaders, many businesses and organizations still fail to adequately protect client and employee data. This problem is about to be addressed ...

A recent survey conducted by Shred-it revealed that only 50 per cent of Canadian companies use information destruction services as a direct result of government regulation and only 68 per cent of organizations have official guidelines for document destruction (Shred-it’s 2009 customer research). As data leaks and security breaches hit the headlines, it’s inevitable that more stringent legislation will follow, as is the case with the anticipated amendments to PIPEDA. In light of this, what actions should businesses take to ensure complete compliance of security standards?

Proposed amendments to PIPEDA, known as the Safeguarding Canadians’ Personal Information Act, are currently going through Parliamentary approvals. Companies at risk of security infringements will be forced to disclose the occurrence of security breaches to both the Privacy Commissioner and to the individual affected, “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” While this bill is not the panacea for information breaches – unlike similar legislation in the U.S. this bill does not identify clear penalties for non-disclosure – the additional transparency will force organizations to improve the way they handle and store data, ensuring systematic procedures are in place for destroying confidential information, which is good for businesses and consumers.

Small businesses that operate without an HR function or a secure, central location for storing important employee records are particularly vulnerable to security threats. Implementing a simple document destruction policy is not complicated, but it does require disciplined execution – a “lather, rinse, repeat” approach and for management to regularly communicate the explicit need for rigour.

Even organizations with a Human Resources function face security threats on a daily basis and should be especially mindful of breaches or leaks. This ever-present threat has led to debate over whether organizations should rethink the amount of confidential information they place on their networks. HR personnel in particular have direct access to confidential information and are entrusted with ensuring that all files are stored under password-protected computers, lock-and-key cabinets and to regularly destroy documents that are no longer needed. The more confidential materials these departments have on file, the greater the risk of security breaches. Since HR professionals are responsible for the lion’s share of employee training deliverables in any organization, it falls upon them to ensure staff are aware of company data destruction policies and to keep staff up-to-date when changes arise.

The lack of a formal information destruction policy within any type of business should be of real concern to management. In today’s world, businesses have both a moral and legal responsibility to protect both their clients and employees privacy and information security. While the benefits of good data security will inevitably go unnoticed – after all, it’s only when a breach occurs that flaws and gaps are uncovered – good data management is critical to the success of virtually any business. To minimize risk exposure all organizations whether large or small need to take ownership of data security and destruction, designating a lead to ensure that their business is protected by protecting the information they hold.


Be Secure: Guidelines to Help Prevent Security Breaches

How does your business rank when it comes to matters of data protection? To ensure that sensitive data will not fall into the wrong hands, follow these steps:

1. Identify Security Gaps: Conduct a security audit of your business’ security practices while keeping these questions in mind:
•     Are there current procedures in place to properly secure or destroy sensitive data?  If so, what are they?  
•     If security gaps are present, where do they lie?  

2. List Security Gaps: List all potential risks specific to your organization. Some questions you should consider include:
•     Are sensitive HR documents, such as employee records, only accessed by authorized personnel?
•     Are there discrepancies between the security procedures involving print versus electronic documents?
•     Are employees currently trained to dispose of paper waste using appropriate receptacles?

When compiling the list, remember to include both paper-based and electronic information sources. Also be sure to consider every stage of the information cycle, from data generation to document destruction.

3. Working from Home: When employees must work from home, staff must be told to limit the printing of hardcopies and/or transferring sensitive information onto personal devices such as laptops or USB keys. Employees should also refrain from throwing information out in garbage cans, recycling bins and/or dumpsters.

4. Addressing security gaps: Create and develop a rigid security policy for your organization. Always remember to place sensitive information in secure areas and under password protection with limited access by employees. Delete or destroy all other data that is no longer required and be sure to keep hard copies of confidential data under lock-and-key, for example in locked desk drawers or filing cabinets. Follow the document life-cycle and implement company-wide policies that ensure all employees regularly destroy confidential documents using professional third-party services. Certified document destruction services will not only make sure your company’s data is shredded and disposed of, but that it is also stored in appropriate receptacles and recycled.


Michael Skidmore is the Privacy & Security Officer at Shred-it. If you are interested in a full Data Security Audit from Shred-it, call 905-465-4288. Shred-it is a world-leading information security company providing document destruction services to ensure the integrity of private information. With 140 locations in 16 countries worldwide, Shred-it works with over 150,000 global, national and local businesses, including: the world’s top intelligence and security agencies, police forces, hospitals, bank branches, as well as university and college campuses. For more information about Shred-it and its services, please visit www.shredit.com