Despite the reported risks of data breaches and identity fraud there remain serious gaps in data disposal |
New research carried out on behalf of the Information Destruction (ID) Section of the BSIA (British Security Industry Association), to coincide with the recent Total Workplace Management event at London Olympia, underlines the fact that, despite the widely reported risks of data breaches and identity fraud, there remain serious gaps in how data disposal is handled by public and private sector organisations across the UK. One worrying statistic is that a third of organisations questioned are still relying on standard municipal waste disposal to deal with even the most sensitive of their information destruction needs, with all the dangers which that entails.
Significantly, the BSIA ID Section commissioned research shows that nearly 19% of organisations have been a victim of serious data fraud. Where such data breaches occurred it was noted by the respondents that half of these involved paper - demonstrating the need for effective shredding - and the rest were related to computer hard-drives. The loss of data from hard-drives is perhaps not surprising given the number of headline-grabbing cases in recent years, concerning breaches of patient information and customer details, and the sheer quantity of information that is now stored in this way.
In terms of how respondents viewed the threat posed by the loss of confidential information to their organisations, 79% of those who completed the survey felt that, over the past 12 months, the danger had either increased or remained the same. This shows that there can be no room for complacency where information destruction is concerned.
From the research it was found, worryingly, that only half of the organisations questioned are actually using a professional company to oversee the destruction of their confidential data, which is a surprising finding given the high level of risk that is out there. More concerning still is that within that number only 50% of those who have taken the step to outsource data disposal knew whether their provider actually complied with the European Standard EN15713. Crucially, the BSIA ID Section believes that this should be one of the first questions asked of any secure waste disposal business by a prospective customer.
The survey also sought to discover who within each organisation was responsible for compliance with measures such as the Data Protection Act. It was reported that in nearly 38% of cases it was the IT Manager who took the lead, followed by the Managing Director on 19% and the Facilities Manager on 16%.
Despite the changes in 2010 to the enforcement powers of the Information Commissioner's Office (ICO), in particular the ability to issue penalty fines of up to £500,000 to those who breach their Data Protection Act obligations, of those questioned under 41% were aware of this development.
Said Russell Harris, Chairman of the BSIA's Information Destruction (ID) Section: "Our research shows that much more needs to be done by organisations to protect themselves against the threat of data breaches and the potential for the loss of commercially sensitive information or details which could lead to identify fraud. A 'sticking plaster' approach is simply not good enough. We also need to ensure that organisations understand the measures which can be taken against them - such as fines - if they do not comply with the requirements of the Data Protection Act."
"For information destruction, as the survey shows, paper has to remain a key focus as, without the right management systems in place, it can so easily be discarded with less sensitive waste, leaving it open for use by criminal elements. Also, as we have seen, computer related equipment can be problematic if not handled correctly with tens of thousands of confidential records on a single hard-drive. It is obviously encouraging that a number of organisations are now turning to professional information destruction providers for assistance but not only should more be following their lead - a 50% take-up still leaves a serious gap in provision - but it is imperative that when doing so they ensure that such companies are working to best practice standards such as EN15713."