Document Management: The Key to Information Security in the Workplace
Last year a stack of private documents was discovered in a garbage can behind the Samaritan Family Medicine Resident Clinic in Corvallis, Oregon. A passer-by went to throw away some tissues and discovered papers that looked suspiciously important. Turns out they were medical records belonging to the clinic. A cleaning person had mistakenly put them into the garbage can.
While it’s not clear what personally identifiable information was exposed exactly, the security incident called into question Samaritan’s handling and storage of medical records – and an apparent lack of document management best practices.
Why were the documents in a garbage can? How many unauthorized people saw the information? How are other medical records managed in the office?
Of course, data breaches occur for different reasons. The 2014 Ponemon Institute Cost of Data Breach: Global Analysis reports that a malicious insider or criminal attack is the primary root cause. But employees make mistakes and expose information too (like the cleaning person at Samaritan).
Paperwork and computers pretty much record every transaction made by a business. So keeping this information organized, accurate, and secure, is key to protecting the confidential information it contains.
Here are essential elements of document management best practices.
All companies that handle confidential information should be aware of new, revised and existing privacy laws and legislation that pertain to their industry. Safeguarding information is important, but there are also regulations around how long certain information must be kept on file. There are penalties and fines for non-compliance.
Workplaces should have an Information Security Policy with company-wide support. It should include a Clean Desk Policy and a Mobile Workforce policy that provides information security guidance on and off site.
Access to information.
All documents should be reviewed and rated for how sensitive the information they contain might be. Then, limit access to personnel who need the information to do their jobs. There should be confidentiality agreements with vendors, suppliers and employees.
Clearly label documents by the information they contain, how long they need to be kept on file, and the date when documents can be destroyed. Use a simple and consistent method for document organization. This infographic shows the security risks of traditional paper handling in the workplace.
Whether on or offsite storage or cloud storage is used, the goal is to keep sensitive information secure and locked away. For documents that are no longer needed, a reliable document shredding partner should provide locked consoles in convenient high-traffic areas in the workplace. Each employee should also have at least one drawer that locks for confidential information.
Your shredding services provider should have a secure chain of custody that includes locked containers, on or off site shredding, and a Certificate of Destruction for legal proof after every shred. Consider a shred-all policy so all documents that are no longer needed are securely shredded. This removes any risk that employees might make the wrong decision about whether or not information needs to be destroyed. Speak to the document destruction company about e-media and hard drive destruction too.
This four part Document Management e-book can help you create and implement document management systems in your workplace.