continued on page 37
Later in the same chapter, the discussion resumes on the
destruction of incidental records:
Disposition of Incidental Records
As previously defined, incidental records are those with a
lifespan limited to their immediate usefulness. Common
examples include memos, reports, surveys, drafts of
correspondence, and flawed copies of forms. From a RIM
perspective, the most important thing to remember is
that they are as much an official record as those retained
formally. Failure to identify incidental records and develop
written procedures for their proper disposition is inconsistent
with regulatory compliance and RIM best practices.
Due to their nature, no internal authorization is required for
the disposition of incidental records.
As with all the examples, I am providing only a couple samples of
the type of education provided in the textbook that make the point.
Information dispelling the misconception – or in this case omission
– for the need to destroy incidental records is woven throughout
much of the book.
Customer Misconception #4:
Recycling is an Adequate Method to Achieve
Secure Information Destruction
Of all the misconceptions, that put clients at risk and minimize the
role of service providers in protecting clients, mistaking general
unsecure recycling as a substitute for secure destruction is among
the most disturbing.
As Information Disposition explains on page 125 of Chapter 6:
Secure Destruction Methodologies:
Reducing paper media to pulp is a very thorough method
of destruction. However, because the process is most
generally available only at large-scale paper mills, where
data protection is not mission-critical, the overall process
lacks the necessary security controls. The pulping process
performed at paper mills, therefore, falls far below the level
of security that would be considered minimally reasonable
by data protection compliance standards. Those attempting
to convince customers that large-scale pulping operations
are suitable for providing secure destruction are either
hoping to play on client ignorance or demonstrating their
own lack of knowledge. While there are instances in which
data controllers have been tempted or tricked into accepting
pulping as a method of destroying paper media, it is not
appropriate without the proper employees screening,
training and acknowledgements, access control, acceptance
of fiduciary responsibility, written data protection policies
and procedures, or contractual linkage to security or
Electronics Recycling: Thankfully, on the whole, most customers
realize paper recycling does not provide adequate security or
regulatory compliance, and so, it remains less of a misconception
than in past decades.
On the other hand, there are still organizations that look to basic
computer recycling to meet their data protection requirements,
they are not even thinking of data protection as their primary
imperative when they dispose of obsolete IT equipment.
For instance, a few years ago, the Toronto Sanitation Department
ran a television advertisement advising residents to put their old
computers at the curb for collection. When the Information and
Privacy Commissioner of Ontario discovered this, the ad was pulled
immediately. The point is, the security (or vulnerability) of the
personal information on those sanitation officials was not even a
consideration. This same mentality is apparent in business as well.
Of course, as discussed earlier, the importance of vendor
qualifications that need to factor heavily into selecting a data
destruction vendor are stressed throughout the text of the book. In
addition, and more specifically, the need for detailed quality control
measures related to computer recycling companies as outlined on
page 122 of Chapter 6 are critical:
Quality Control for Electronic Erasure Processes
Because neither overwriting nor degaussing change the
appearance of the media to which they are applied, quality
control procedures are critical to ensure the reliability of
Quality control starts with written procedures describing
the steps and flow of materials through the stages of
the process. Written procedures 1) demonstrate that due
diligence has been afforded the process, 2) provide for the
appropriate training of qualified technicians to comply and
conform to the instructions, and 3) establish a method of
organizational and individual accountability.
The section goes on to outline in detail the steps and measures to
be employed in a defined quality control publication.
Any service provider, looking to impress the importance of
vendor qualifications and quality control in order to confront the
misconception that recycling is a legitimate option will find plenty
of ammunition in Information Disposition.