The Paper Trail
Our papery footprints are everywhere, we constantly leave reams of paper in our wake. Although we live in a internet-focussed age where increasingly more of our daily activities, transactions and queries are conducted online, this has not yet dramatically eroded the paper culture in which we live. Personal and business details are recorded on innumerable paper documents and filed. By law these confidential paper records have to be dealt with conscientiously and, once finished with, disposed of securely. This is where professional document destruction companies step in.
Why is the safeguarding of information given so much importance? Confidential business and personal information could be used fraudulently for monetary or commercial gain. Such information could include: records of business activities, plans, statistics, and correspondence; official documents; and personal information recorded on forms, receipts, and applications. Identity theft and corporate espionage are issues linked to document destruction, and they shouldn't be taken lightly. Discarding sensitive, confidential information carelessly can result in considerable legal and financial trouble down the line. The New Zealand Security Association (NZSA) website warns that "the skip is considered by business espionage professionals as the single most available source of competitive and private information from the average business". Simply recycling expired documents is no substitute for professional destruction either. Material to be recycled can sit for any length of time before being processed (here or overseas), and its security cannot be assured.
Code of Practice
The NZSA provides a comprehensive Code of Practice for the destruction of confidential material. In addition, the NZSA provides guidelines for businesses to follow to appropriately destroy confidential documents, emphasising the legal obligation a business has to safeguard this information through to its destruction. Most legal obligations to safeguard and destroy confidential information (especially of the kind held on behalf of someone else) centre around the Privacy Act 1993. The Alpha Security Services website gets straight to the point when it writes, "The Privacy Act has You in its Sight!". The Privacy Act is governed by 12 information privacy principles which guide how confidential information should be gathered, used, stored and released. Principle 5 deals with the security and storage of personal information, and outlines the responsibilities agencies have to prevent unauthorised access to confidential information (for example, by destroying it). It reads:
An agency that holds personal information shall ensure
(a) That the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against (i) Loss; and (ii Access, use, modification, or disclosure, except with the authority of the agency that holds the information; and (iii) Other misuse; and
(b) That if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information.
There are a wide range of individuals and organisations which need to destroy confidential information for their own reasons, or that may potentially be accountable be under the Privacy Act. These could include: individuals clearing an estate, or discarding of personal information such as bank and credit card statements, bills, or diaries; government departments, pharmacies, hospitals, accountants, lawyers; or anyone with confidential information that must not be revealed to nonparticipating parties.
Many institutions have their own policies governing the use and disposal of confidential information. Victoria University, for example, has an extensive Code of Ethics concerning the use of information garnered through interviews or other research. In particular the Code states that all interviews must comply with the Privacy Act, and that "personal information must be handled in a way which protects the confidentiality of the subjects and ensures the safe custody of data". Concerning storage and destruction, the Code is clear: "It is important that any confidential or sensitive material be kept in a secure and locked environment before it is destroyed and that subjects be told how personal material will be stored and for how long". Organizations such as universities may also have minimum lengths of time data must be kept in order to substantiate results of specific research.
Given the varied requirements of different agencies for the storage and destruction of confidential information, document destruction companies must be flexible and thorough in the manner that they collect, store, and destroy information. Most document destruction companies offer a bulk "clear-out" option where a customer can get a bulk load of documents picked up and destroyed. Onslow Document Services, for example, can provide this service and charge by the cubic metre. Some companies, such as information security company Iron Mountain, offer an onsite destruction service where a truck with an onboard shredder can destroy information at the customer's location. The most common option is the ubiquitous padlocked bin (present in offices across the country), where people can put confidential information to be destroyed. These bins can be collected when full and exchanged for an empty one (under secure conditions) by the designated document destruction company. This exchange service can be on demand, or at agreed intervals over time.
Document destruction companies generally follow a strict procedure for the collection, transport, and destruction of confidential information. The progress of a destruction bin is recorded throughout the whole cycle, from being signed off by the customer through to the destruction of its contents. Alpha Security Services, for example, follow a typical audit process from pick-up to recycling. All the bins and job sheets are numbered, and records are made of times, dates, who has handled the documents, and the time of destruction. The destroyed documents are then recycled.
Recording the process is even more stringent when document destruction companies also handle records management. Iron Mountain, for example, can securely store documents intended for destruction for seven years (this period can vary), then destroy them on a specific date prearranged with the customer. When the destruction date arrives, Iron Mountain notifies the customer that their documents are due for destruction. If at any time during the storage period a customer needs to access any documents, Iron Mountain can send them out for the customer to peruse and then re-lodge them for destruction. These kinds of retention schedules are dictated by the requirements of each individual customer.
New Zealand Security Magazine
All of the document destruction companies New Zealand Security Magazine talked to provide a Certificate of Destruction on request, as an added level of security assurance. This documents a confirmed timeline of the procedure followed from pick-up to destruction, tracing where it has gone and who has handled it.
The NZSA adopts a cautionary tone towards Certificates of Destruction. It acknowledges that the Certificate of Destruction is "an important legal record of compliance with a retention schedule, but "it does not, however, effectively transfer the responsibility to maintain the confidentiality of the materials to the contractor. NZSA guidelines caution that failing to select a reputable document destruction company, and to review their procedures and principles, could be construed as negligent in the event of any security breach. Most document destruction companies require all their personnel to be certified security staff. Some however only require the drivers who transport the documents to be certified, and that other internal staff who may come into contact with confidential documents need only be security cleared (checked for any criminal record).
New legislation is set to extend the categories of security personnel that requiring licensing or certification, to include document destruction agents and their employees. The Private Security Personnel and Private Investigators Bill will replace the Private Investigators and Security Guards Act 1974. It had its first reading before parliament in April this year, and is currently being considered by the Justice and Electoral Select Committee. Under the Act, any "confidential document destruction agent" must hold a license, and any confidential document destruction agent employee must hold a certificate of approval. The penalties for noncompliance are considerable; operating without a license could result in a fine of up to $40,000 for an individual or $60,000 for a body corporate. Fines for employees without a certificate of approval could be up to $20,000.
Document destruction companies vary in the methods used to physically destroy confidential documents. Most services use straight-cutting, where paper is cut into thin strips. A more secure alternative (although more expensive and time-consuming) is cross-cutting, where the paper is reduced to small pieces. Some services offer both. Other methods include particle-cut shredders or disintegrators that can reduce paper down to even smaller pieces or particles.
Destruction paper size
The size which strips or pieces are reduced down to determines the security level; the higher the level the smaller the remains. Level 1 and Level 2, for example, requires 12 mm or 6 mm strips respectively, whereas a Top Secret document may require Level 6, 0.8 mm x 4 mm particles. With extreme persistence, or by scanning document fragments and using a computer programme, document reconstruction is a marginal possibility. Particularly sensitive information may therefore require higher levels of destruction.
The final stage for any destroyed information is recycling. Document destruction companies have programmes where the recycling is outsourced after documents are destroyed. Ministry for the Environment guidelines for implementing office recycling systems suggest that on average 76% of office waste could avoid the landfill (a figure based on waste sorts of material from 90 offices in Christchurch). It is recommended that while confidential information requires the services of a document destruction company, you should check what kind of recycling programme your designated company has in place.
Paper isn't the only kind of media that may require secure destruction. Most document destruction companies also offer the destruction of other media such as discs and hard drives. So long as there is any trail of information, filed on paper or digitally, to sustain the information and records saturated world in which we live, document destruction companies will always occupy an important niche in protecting the confidentiality of this information.