Information Disposition’s Most Common Misconceptions (Part 1)

Information Disposition’s Most Common Misconceptions
(Part 1)

The first of our two-part series clarifying data destruction misconceptions that put organizations at risk.

1)    Storing records for longer than required is safer.

Most organizations retain stored records far longer than needed. Sometimes, it’s the result of apathy. Of course, that’s bad. Sometimes, however, it's intentional, under the mistaken belief that it’s better to have these records available “just in case.”   

The Reality: Retaining stored records for longer than needed 1) undermines an organization’s records retention policy, 2) increases the risk of unauthorized access to the personal information, 3) enormously increases and complicates legal discovery compliance, and 4) violates new privacy regulations that forbid the retention of personal information for longer than needed for the assigned purpose.

Instead, stored records should be destroyed annually per the records retention schedule. This includes unused electronic equipment as well.

Important Note on Final Removal Fees: Too many organizations resist good record retention compliance to avoid the onerous final removal fees assessed by commercial records centers.

If this is you, there are two options.

Option 1:  Pay the fee! It was agreed to when the organization signed the contract, and it is not going any lower in the future. Many commercial record centers have raised them. Postponing the pain to a future budget will only cost more, however you dice it, while creating and increasing all the problems discussed above.

Option Two: Push back! There is precedent for organizations negotiating away or eliminating final removal fees. And, now that regulations are taking issue with the retention of personal information for longer than can be justified for business use,
any recent increases in removal fees or framing them as unnecessarily usurious obstacle to compliance could be the basis for a legal protest.

2) As long as I have a Certificate of Destruction, I don’t have to worry.

At its worst, the comment accompanying this misconception goes like this: “I don’t have to worry whether the destruction vendor does what they say. Once they give me a Certificate of Destruction, I am off the hook.” The tamer version is, “The
Certificate of Destruction is my proof that it was destroyed.” Neither are correct.

The Reality: The only thing the Certificate of Destruction does is establish that a destruction event happened. Unless steps are taken to mutually agree on itemized content, it doesn’t prove what the service provider accepted. That is not to say the service provider should not be overtly attesting to the transfer of custody and their fiduciary obligation to destroy whatever media they accept. It simply means that organizations need to understand that 1) the idea of suitable-for-framing documents attesting to each destruction event is not needed, and 2) the Certificate of Destruction should never be seen as proof that a particular document or hard drive was destroyed. 

Instead of relying on a Certification of Destruction, be able to clearly demonstrate that your firm conducted appropriate vendor selection due diligence. When proof of something being destroyed is needed, get mutual agreement on a carefully itemized
manifest of what is being destroyed. Always get a mutual agreement (with the vendor) on hard drives that are destroyed.

3) All we need to do is provide employees with a destruction option.

Many organizations believe that providing collection containers for confidential information (paper or electronic) is all that is needed. Under this misconception, containers are deployed within the office or across the campus, and the employee is instructed (often verbally) to deposit anything that should be destroyed.

The Reality: The problem here is twofold. Firstly, in this scenario, the employee is typically not aware of the organization’s compliance requirements or the consequences of not complying, and, secondly, the employee is given complete discretion to decide what does or does not require destruction. While the former
(lack of training) is, in and of itself, a violation of data protection regulations, the latter (allowing employee discretion) is a breach waiting to happen. The organization is literally putting its entire compliance profile in the hands of employees who may have had a bad night, could be rushed, or simply don’t take the risk seriously.

Instead of simply providing collection containers, the organization should also set a policy requiring ALL paper and electronic media to be destroyed. The small additional charges for destroying materials that may not be confidential are more than offset by the elimination of the risk and the cost of having two waste streams.
Additionally, employees should sign off on written data disposal instructions, understanding that their continued employment is in jeopardy should they ignore their responsibility.

4) Collection containers are security receptacles and the point at which custody transfers to the service provider.

This may not be as much of a misconception as it is an oversight. Many clients treat their collection containers as though they are more secure than they are. This can lead to the container being placed in high-risk areas, such as unattended lobbies or
publicly trafficked areas. This problem is only exacerbated by thinking, as too many do, that the same container is also the point at which the service provider is responsible for those materials.

The Realty: The truth is that the service provider provides the collection containers as a convenience for isolating materials for destruction. They are not vaults and should not be treated as such. Their security is a function of the security of the office
itself. Their job is to isolate the materials and keep prying eyes and passersby from accessing them.

The solution is to make sure collection containers are not in public areas or in areas left unsecure when no one is around. It is worth nothing that heavy duty security collection containers are available for purchase when there is a need.

5) We don’t have any paper; everything is on computers now.

Some people working in organizations that have converted to a digital environment consider themselves paperless. Their forms are electronic. Their communications are largely electronic. The records that must be retained are now sent to the cloud instead of the warehouse.

The Reality: While all the above is increasingly true, very few organizations have completely weened themselves from the use of paper. Take healthcare, for instance; the HITECH Act of 2009 strongly encourages the conversion to electronic records, and while less paper is going on shelves, the amount of paper generated is still significant. And, while the percent is certainly going down, what is being printed (e.g., emails, forms, reports, drafts, etc.) and arriving by mail are significantly more
sensitive and still requires secure destruction.