Associate Agreement in place with Archive Data, and
failing to properly train its workforce with respect to
health data privacy.”
….phrases like “failing to implement appropriate safeguards,
policies, and procedures” and “failing to properly train
its workforce” are among the most commonly cited when
regulators announce settlements and sanctions related to
data protection violations.
The book establishes beyond any reasonable argument that written
policies and procedures are required, that they are easy to create
(especially with the help of the book), and that not having such
procedures documented results in the highest fines, where as
having them (along with training), practically insulates the data
controller from suffering a violation or of being found of negligence.
Customer Misconception #8:
Particle Size is the Only Thing that Matters
In Chapter 6: Secure Destruction Methodologies, the section
Process/Particle Size Standards, Guidance and Requirements most
directly confronts this misconception starts on page 132:
In navigating their responsibilities, requirements and
options for information destruction, data controllers are
understandably interested to know if the materials they
wish to destroy are subject to a required particle size
specification. In truth, however, outside of government
classified NSI, where the data controller is legally bound to
a particle size, PHI and PII, the types of information most
organizations discard, are not subject to any prescriptive
regulatory particle size requirements whatsoever. (see
Reasonableness in Chapter 1). As for competition-sensitive
information, particle size preference is completely left to
the data controller, insofar as they are subject to no form of
The section goes then to describe how in years past, when media
was destroyed in-house, particle size was the most critical issue, but
how, with the advent of outsourcing, as the most common means of
data destruction, there are many other factors that equal or surpass
particle size in importance.
Later in the same section, there is a warning regarding the
dangers of turning to non-governmental particle size specification
Unfortunately, in the search for some direction on this
particle size, data controllers sometimes mistakenly interpret
and/or apply standards where they are unnecessary or,
worse, where reliance on particle size provides a false sense
of security. In any case, but especially when information
destruction is outsourced, the overall process is the critically
important factor. Particle size is simply one aspect of that
process. The problem with relying only on particle size
guidance is that the more important factors (the written
procedures, the training, the employee screening, the secure
staging, the custody transfer, the access control, and the
disposition of destroyed material) are often ignored.
Though it may sound a bit cavalier; if particle size were
the key to compliance, compliance could be met using
unscreened, known criminals on a vacant lot in the most
crime-ridden neighborhood in town.
The fact that no data protection regulation includes a prescribed
particle size is also the subject of discussion in Chapter 1, where the
requirements of each regulation are described in detail.
Customer Misconception #9:
It’s Okay to Store Records Indefinitely
At its worst, the conversation unfolds something like this:
Service Provider: “I would like to discuss your records
Data Controller: “That’s not necessary. We keep everything
And even though the data controller may not say it so blatantly, it is
common knowledge that many, if not most, companies don’t destroy
retained records when they have reached their retention period.
Of course, this is bad news - for them, because it puts them at risk,
and for secure destruction services, because they are robbed of the
opportunity to properly protect their customers.
This risky misconception is confronted directly on page 56 of
Chapter 3: Records and Information Management Principles, in the
section titled Liability of Retaining Unnecessary Records.
The risks delineated within this section include Legal Discovery,
Adverse Inference, and Increasing Risk of Unauthorized Access.
In all, almost two pages of text describe in detail why the data
controller should not retain records longer than legally required.
It should be noted that the short conversation above characterizing
this misconception is to as an issue also signals that the data
controller does not consider the daily flow of media as something