August 16, 2019
The UK’s data protection laws date back to 1998, way before GDPR or the new Data Protection Act 2018. The country has always had reasonably strong data protection laws in place, even before the recent shakeup in Europe and by the British Parliament. Data protection, therefore, has been a part of our culture for a while.
The purpose of the DPA 2018 is to ensure that companies dispose of data safely, fairly, and responsibly. It applies to any organisation, public or private, which collects sensitive information about customers, suppliers, or colleagues. Companies have a duty under the law to ensure that personal information does not fall into the hands of criminals.
When you think about it, this makes sense. Criminals could use the information that your organisation has about a customer or supplier to commit identity fraud. That fraud could then lead to a host of other issues and cause a person to lose their reputation or money.
At some point, organisations have to dispose of confidential data. The disposal part of the process is one of the most critical and dangerous since it is when information can fall into the wrong hands.
British courts have already fined organisations for violating the Data Protection Act, and it’s something that could happen to you if you fail to follow the correct disposal policy. Scottish Borders Council, for instance, was slapped with a £250,000 fine for dumping employee pension records into the public recycling bins at a local supermarket. Shoppers discovered the illegal activity and reported it to the information commissioner who issued a fine.
The law states that organisations should destroy physical and electronic data repositories in a particular way. Confidential waste disposal, the law says, is vital for ensuring that data do not fall into the wrong hands. Organisations should not just put reams of confidential papers in supermarket paper recycling bins.
The Data Protection Act says that documents containing confidential information should be shredded to a particle size smaller than 320 mm2. Shredding to this size makes it much harder for malicious actors to reconstruct the document and use it for fraud.
Shredding large volumes of documents is difficult for many companies, which is why many use a specialised confidential waste disposal company. Waste disposal companies follow their own set of regulations to ensure that they dispose of sensitive documents and destroy information before it can fall into the wrong hands.
The DPA states the following:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
As you can see, it leaves things pretty vague when it comes to disposal. Most organisations, therefore, take the safe route and get a professional disposal company to deal with waste management for them. It’s not worth taking the risk and getting fined. The fines can be enormous.