Of course, the statement above builds on the point that data
cannot transfer regulatory responsibility to the service provider,
which is documented in Chapter 1: Data Protection Regulations.
Customer Misconception #7:
No Need for Written Information
There is a good reason Chapter 7: Information Disposition Policies
and Procedures is dedicate strictly to advising data controllers
on how to create their internal operating manual for destroying
obsolete media and information. That reason: it’s required by law
that they have them.
That point is first emphasized on page 14 of Chapter 1: Data
Protection Regulations, where it states:
Written Procedures and Employee Training
HIPAA, GLB, and FACTA require an organization to have
written information protection policies and procedures.
Again, it is easy to understand the logic. Not only are such
written procedures necessary to demonstrate internal
operational accountability, without them employee training
and guidance is non-existent from a regulatory standpoint.
It is clearly unreasonable to represent to authorities that
an organization can provide a reasonable level of direction
to employee without written procedures.
In fact, the absence of adequate written policies and
employee training are the two most frequently cited
reasons for regulatory penalties associated with data
security violations. On the other hand, having and
implementing such written procedures insulates an
organization from the worst consequences of a violation.
And, while the book includes the actual regulatory language
specifying the legal requirement to have written policies and
procedures, it also provides examples of what can happen if there
is a breach and such written policies are not available.
Below can be found on page 137, Chapter 7, Information
Disposition Policies and Procedures:
The following excerpt is taken from the press release
by the Massachusetts Attorney General in May of 2012,
announcing a $750,000 settlement stemming from the
improper disposal of protected health information.
“The allegations against South Shore Hospital in
the lawsuit are based on both federal and state
law violations, including failing to implement
appropriate safeguards, policies, and procedures to
protect consumers’ information, failing to have a
Business Associate Agreement in place with Archive
Data, and failing to properly train its workforce with
respect to health data privacy.”
….phrases like “failing to implement appropriate
safeguards, policies, and procedures” and “failing
to properly train its workforce” are among the most
commonly cited when regulators announce settlements
and sanctions related to data protection violations.
The book establishes beyond any reasonable argument that
written policies and procedures are required, that they are easy
to create (especially with the help of the book), and that not
having such procedures documented results in the highest fines,
where as having them (along with training), practically insulates
the data controller from suffering a violation or of being found of
Customer Misconception #8:
Particle Size is the Only Thing that Matters
In Chapter 6: Secure Destruction Methodologies, the section
Process/Particle Size Standards, Guidance and Requirements
most directly confronts this misconception starts on page 132:
In navigating their responsibilities, requirements and
options for information destruction, data controllers are
understandably interested to know if the materials they
wish to destroy are subject to a required particle size
specification. In truth, however, outside of government
classified NSI, where the data controller is legally bound to
a particle size, PHI and PII, the types of information most
organizations discard, are not subject to any prescriptive
regulatory particle size requirements whatsoever. (see
Reasonableness in Chapter 1). As for competition-sensitive
information, particle size preference is completely left to
the data controller, insofar as they are subject to no form
of regulatory obligation.
The section goes then to describe how in years past, when media
was destroyed in-house, particle size was the most critical issue,
but how, with the advent of outsourcing, as the most common
means of data destruction, there are many other factors that
equal or surpass particle size in importance.