Businesses fail to comply with Data Protection Act

Businesses fail to comply with Data Protection Act

Businesses fail to comply with Data Protection ActKeywords: Security, Data protection, Fraud, Liability

Businesses could face fines of up to £5,000 from the data commissioner if they do not tighten up their security measures when disposing of confidential papers, computer disks and other IT equipment, warns the British Security Industry Association.

A total of 150,000 tonnes of waste is destroyed by professional information destruction companies annually, but this is only a small percentage of the overall amount of confidential waste generated by businesses. The remainder is sent to waste-paper companies (who rarely have any form of security system in place), or thrown into ordinary rubbish bins.

This has led to a number of high profile information disposal disasters, including the Mohammed-Al-Fayed vs. Neil Hamilton court case, where documents detailing the proposed line of questioning by Hamilton's legal team were discovered in bins outside their premises. These documents were allegedly sold to Al-Fayed ahead of the trial. In a separate incident, a number of "wiped" computers from Deutsche Bank were obtained by individuals who re-constituted the hard drives and uncovered share dealings by high-profile customers such as Paul McCartney.

The 1998 Data Protection Act (which became law in the UK in March 2000) requires a company to provide sufficient guarantees of security measures for the disposal of confidential data. Few companies can prove they meet its requirements. They include the destruction of data being carried out under contract and evidenced in writing.

Information destruction companies can ensure that a business complies with the Data Protection Act, they will enter into a written contract, issue certificates of destruction and provide full audit trails from the point of collection to shredding or incineration. Secure destruction can help to reduce losses through fraud of all types, as well as ensuring that the reputation of a company remains untarnished.

However, businesses are still held jointly liable if data is mislaid in the destruction process, so should select their information destruction company carefully. All BSIA information destruction companies will meet the requirements of the Data Protection Act. In addition, they comply with their own code of practice (which is soon to become a British Standard), meet standards set by groups such as the British Banker's Association, and have passed the association's rigorous membership criteria.

A factsheet on Information Destruction and the Data Protection Act is available from the BSIA Publications Department. Tel: +44 (0) 1905 21464. For more information about BSIA information destruction companies, either contact the helpline. Tel: +44 (0) 1905 21464, or log onto www.bsia.co.uk