By Ann Sellar, business development manager, Destruction Services at Crown Records Management
When we think of data breaches we tend to think about lost or stolen paperwork; but in reality this is rarely the case. In fact information can be taken from computers, laptops and USB sticks – and it is estimated 80% of data breaches stem from human error.
How businesses dispose of these items should therefore be a high priority. Increased legislation helps guide business in best practices; however, every day we see fines levied against companies who have not managed their records effectively. Data breaches are usually unintentional breaches made by individuals so it’s about taking the appropriate steps to avoid them.
Implementing stringent processes, such as those detailed below, will ensure companies’ data is managed and disposed of securely in a fully compliant manner:
1. Human error – ensure all staff are educated Data breaches can be mitigated by ensuring staff know what is expected of them and understand the consequences of failing to protect sensitive data – it’s about reducing human error. This responsibility extends to temporary staff just as much as to permanent staff.
Make training fun and simple to encourage engagement. Check each employee has understood by running a short quiz and asking staff to sign a document to confirm they have understood.
Appointing information champions who have a good understanding of the field can also be helpful, so that individuals within an organisation know who to go to with any queries or concerns.
2. Data Protection – review your policies regularly Data protection policies should be up to date and comply with current legislation. Policies should be reviewed in line with business changes, for example, following accreditation to 27001. A regular programme of training which includes frequent refresher sessions is vital as the legislation and rules on handling data can be subject to changes.
3. Sensitive Data – store safely and restrict access Ensure all paper files and media devices containing sensitive information are stored securely either on site or with a third party. Take regular back-ups of information stored on your computers and keep in a secure separate location. It is prudent to restrict employees’ access to sensitive data, giving access only to the information they need to do their jobs whether online or in paper form.
4. Data disposal – remove risk of confusion Implementing a “shred all” policy will remove any confusion staff may have over what is classed as confidential material, and eliminate the risk of human error. Data should also be wiped from electronic devices such as computers, laptops and USBs. All of which should be stored in locked containers or rooms while awaiting secure disposal.
5. Encryption and Password Protection – safeguard all electronic devices Passwords should be changed on a regular basis and staff aware of when to do so. It is best practice to ensure passwords contain a minimum combination of six to eight letters and numbers, using upper and lower case, in order to reducing the risk of the password being compromised. Encryption adds another level of data privacy. Encryption should be placed on all devices including mobile devices, back-up tapes and laptops.
Information management has moved up the agenda of corporations, governments and institutions in the modern world. So senior managers should establish stringent procedures governing the handling and secure destruction of information, as well as ensuring all employees are aware of their obligations and the potential consequences of data losses.
In this way, corporate data will no longer be viewed with fear but instead seen as a carefully protected corporate asset. It’s all about being aware of the power of memory.