This article was published in Public Servant Magazine
The issue of how the State handles data relating to its private citizens is inevitably a highly politicised one. This is perhaps unsurprising given events in recent years including the loss by HMRC of computer discs containing personal details relating to every family in the UK with a child aged under 16. Besides instigating a media frenzy, such incidents have seen criticisms being levied at those in the highest levels of Government for the failure to ensure data handling processes used across the public sector remain watertight at all times.
Thus with a General Election in the offing the matter of protecting against data breaches, wherever they may occur, is prominent in public sector thinking from Downing Street downwards. The issue is unlikely to recede either as those newspapers determined not to back the Brown administration at the polls in 2010 look to seize upon any perceived mismanagement of citizens' information.
In the meantime, the progress of high-profile Government projects to develop information storage systems, including the transferral of millions of health records online as part of the already much maligned NHS IT upgrade project, create new challenges. Destroying securely the huge amounts of paper-based records set to be rendered obsolete by this project poses an information security challenge in its own right and one which should not be taken lightly.
It's hard not have sympathy for the public sector challenge. No private sector business has, or is ever likely to, hold confidential information in such detail and volume as does the State. Almost every aspect of our lives is documented. Information held ranges from driving license and criminal record details to welfare benefit entitlement data and company registration records.
This naturally begs the question of how public sector managers should tackle the issue of ensuring the huge amounts of confidential information generated daily in their workplaces are destroyed securely to minimise the risk of a data breach potentially fatal to their organisations' reputations.
The answer is largely one of mindset. First and foremost public sector managers have a duty to ensure that they and their staff understand their collective legal obligation to protect confidential data relating to themselves, their organisation and the private citizens they hold information about.
The rules governing this responsibility are clear. Principle 7 of the UK Data Protection Act demands that confidential documents remain the responsibility of the organisation which created them right up until the moment they are destroyed. Thus handing confidential information to a third party does not absolve organisations from responsibility and provide protection from any possible fine levied by the Information Commissioners Office. The public sector has perhaps the greatest incentive to comply. Governments breaking their own rules rarely prosper.
Secondly, there is a clear need for managers to resist complacency and keep in mind the likelihood that whatever their current process and procedure for ensuring the secure disposal of confidential information, it will contain a flaw. Any process is only as strong as its weakest link and those currently in place should be continually reviewed and adapted to reflect changes in the workplace environment.
A clear need also exists for public sector managers to clarify in their own minds the key differences between the recycling of documents containing confidential information with secure document destruction. These terms are not synonymous and employing them interchangeably only heightens the reputational risks associated with a confidential data breach. While document destruction companies including my own do ultimately send material for recycling this is very much a secondary activity. The first priority is to shred material beyond reconstruction. Security is the order of the day. For a recycling specialist the opposite applies. The commercial focus of these businesses is on recycling, meaning that while the loss of just one piece of paper will not impact them, it could easily spark a major data breach issue.
Thankfully the solution to this entire challenge is a logical one. In the first instance managers must ensure all staff understand not only their legal obligations but are also clear precisely which information should be regarded as being confidential, with the security effectiveness of the document destruction process put in place by the organisation being regularly reviewed.
From experience the implementation of what my own industry calls a secure on site document destruction process usually holds the key. Documents, CD ROMs and USB sticks should be placed in a secure console the moment they are no longer needed. And where a third party is responsible for destruction, this should be carried out on the premises.
When this is complete, managers should expect to immediately receive a Certificate of Destruction. This document provides crucial legal proof that materials have been destroyed and leaves organisations no longer responsible for the data they contain. Only then should managers allow themselves the peace of mind which comes from knowing they are protected.