Shocking Study on Data Protection breaches

December 19, 2011

The National Association for information Destruction (NAID) hired Investigators to look through rubbish put out by law firm, chemists and hospitals in London to see if they contained personal information.

The instructions to the investigators were quite explicit. They were not to go to extraordinary lengths or breach any laws when examining the trash. They were hired to simply look in the bin to see what any passer by might find. The fishing mission threw up scores of documents carrying the names of vulnerable hospital patients, details of personal prescriptions and even the case notes of someone with mental health problems.

NAID has refused to disclose the names of the businesses and organisations involved.

The exercise found that overall, 44 per cent of the institutions, each with a legal burden to protect personal information, were casually discarding personal information. Examples included:

A private hospital discarded the medical records of 70 vulnerable patients – including their names, addresses and details of their treatment.

Outside a top London law office, a 20-page document, detailing the case of a young woman with mental health problems and in foster care, was found on the pavement in a rubbish bag. All four of the law firms whose commercial waste was subject to investigation were found to have personal client details in their waste.

Outside a national chemist chain, rubbish was found to contain over 20 prescription labels including details such as patients’ names, addresses, and details of the medication prescribed. Some also included doctors’ names and dates of birth of patients.

Every business has a legal obligation to protect the confidential information it holds on its employees, customers and suppliers. Failure to do so can result in heavy fines or even imprisonment for the person responsible.

The Information Commissioner’s Office (ICO) is now able to fine businesses up to £500,000 if they lose individuals’ confidential data. This amount has been increased from £5000, to highlight the importance of data security, and to protect individuals from the threat of ID fraud.

The seventh principle of the Data Protection Act states that organisations must employ a data destruction service to destroy redundant confidential information that can be either in paper or electronic format.

Using an accredited supplier that can destroy confidential material in a secure environment will give you peace of mind that your company and associates are protected against ID Fraud.