Confidential: clients’ identity

The issue of identity theft is becoming an increasingly significant concern to individuals and businesses
Recent government statistics have identified that the total cost of identity fraud has risen from £1.3bn in 2002 to £1.7bn in 2005. A contributory factor is that confidential waste is not being destroyed correctly and criminals are using corporate and personal details to commit fraudulent acts, such as acquiring false credit cards, passports, driving licences and withdrawing money from victims’ bank accounts. In 2003, Experian surveyed the waste from businesses in one high street and found:

- A travel agent discarded photocopies of passports with passport numbers, dates of birth and photos of customers.
- An educational establishment threw away full financial details of applicants on courses.
- A mortgage broker disposed of numerous completed mortgage applications containing full financial details of its clients.
- A PR agency binned its clients’ confidential PR strategies, embargoed press releases and bank account information.

Every year, businesses produce a huge amount of waste material. Yet only 150,000 tonnes of paper waste and data processing products, such as computer disks, are destroyed by professional information destruction companies. This represents only a small fraction of the total waste generated by the public and private sectors. Much of the waste is disposed of via municipal refuse collection or waste paper reprocessing, neither of which require any form of secure handling. Confidential waste includes not only conventional paper-based records, but also computer records, CDs and disks. It is essential that these items are destroyed in such a way that personal or company data cannot be retrieved at a later date.

A recent incident highlighting the lack of awareness concerning information destruction was reported in national newspapers last January. A large hotel in the south of England dumped thousands of documents revealing the credit card numbers, phone numbers and signatures of guests in an open skip. These are the details most commonly used by fraudsters to steal identities and buy goods online or steal from bank accounts.

The hotel commented that the registration documents containing the private information were sealed in envelopes then placed in sealed boxes. The hotel reported that it usually places all confidential waste in sacks which are then destroyed, however, on this occasion the policy was not strictly adhered to. This is a stark warning that failure to comply with the Data Protection Act, to monitor procedures and employ a specialist information destruction company can result in a great deal of negative press coverage at the very least.

All businesses are now expected to comply with the Data Protection Act (DPA). The Act was brought into force on 1st March 2000 to balance the rights of the individual and the companies who are legitimately holding and using the confidential information. All companies are responsible for any personal information held about their clients, which includes destroying personal information effectively so it cannot be used in a fraudulent act. The organisation and its chosen information destruction contractor are jointly liable for any breaches of the Act when dealing with personal or sensitive data. If a company is found to be negligent, liability extends to individual directors, managers and data controllers, who could face personal fines and the prospect of a criminal record.

Convicted firms could also be liable for legal costs and future spot checks to ensure compliance. It is therefore very important to emphasise good practice and demonstrate that all reasonable care has been taken to comply with the Act – including secure methods of information destruction. A guide to the Data Protection Act for the users of information destruction services has been produced by the BSIA and can be downloaded from www.bsia.co.uk/download.html.
The primary step businesses need to take is to assess their own security risk from identity fraud and other information crimes. The BSIA has produced an audit procedure to help with this process. The Security Waste Audit is available from the BSIA website at www.bsia.co.uk/shredding. Having completed the audit, businesses will be in a better position to identify their waste disposal needs and act accordingly. The following questions are posed to assess the quality of current procedures:

- Do you dispose of your paper records separately from your general waste?
- Do you know what happens to your company’s waste prior to collection?
- Are you aware of your responsibilities under the Data Protection Act?
- Have you drawn up information destruction procedures and are you satisfied that they are being carried out?
- Do you use an ISO 9001:2000 approved company to destroy your confidential waste?
- Does your contractor provide a certificate of destruction and a fully auditable trail to an approved standard?
- Would you like to see more secure recycling within your company?

To assist in ensuring best practice in the information destruction sector, a new British Standard is expected to be published during spring 2007. The new standard will be known as BS 8470 – Code of Practice for the Secure Destruction of Confidential Material. The BSIA’s own Code of Practice has provided the basis for this new standard.

The Code requires companies destroying confidential waste to meet a series of quality criteria, including:
- Security vetting all staff;
- Defining deadlines for disposing of waste;
- Specifying shred sizes;
- Addressing the security of vehicles delivering the confidential waste;
- CCTV monitoring the unloading, storage or processing areas; and
- An approved intruder alarm, which conforms to British and European standards and is monitored by an approved alarm-receiving centre.

Few companies have adequate in-house resources to provide an effective waste destruction service and it is often preferable to employ an external contractor. This ensures that the business meets the requirements of the DPA, the waste is recycled and that their company and client data does not fall into the wrong hands. When selecting an information destruction company businesses should make the following essential checks:

- Ensure a contractor’s ability to provide a quality, audited service which is consistently in line with your requirements. BSIA companies must be registered to the quality system standard ISO 9001:2000, and adhere to the association’s code of practice, including measures for staff vetting.
- The contractor should have a comprehensive understanding of the Data Protection Act and be capable of giving advice on this topic.
- A contractor should be registered as a waste carrier with the Office of the Information Commissioner, which can be checked on their website at www.informationcommissioner.gov.uk.
- A reputable company will also provide a signed certificate of destruction for each completed batch and be aware of the need for a signed duty of care waste transfer note when waste is handed over for destruction.

Ensuring confidential waste is disposed of in line with all legal requirements relies on identifying your company’s needs and researching information destruction companies to ensure they meet all required standards, as well as holding the relevant documentation to prove these standards have been met. Then you can have peace of mind that your business’ information is in safe hands.

For further information on the BSIA, visit www.bsia.co.uk, email info@bsia.co.uk or telephone 01905 21464.