Unted Kingdom security shredding associationUnted Kingdom security shredding association
Sub head


Home button
COP button
Guide button
Healthcheck button
Members button
Articles button
Join button
Contact button

 

making a mistake at work

Faced with a prison sentence for making a mistake at work most people would be forgiven for being fastidious in their attention to detail and conscientious in ensuring that correct procedures are followed. Given several years notice of the requirements which carry a prison sentence if not properly met it would be reasonable expect people in this position to ensure correct procedures are in place and that plans to comply are made well ahead of time. But, according to Stuart Riccalton, chairman of the United Kingdom Security Shredding Association (UKSSA), many companies could fall foul of the forthcoming Data Protection Act 1998 because they have failed to audit their data handling systems correctly.

Riccalton states, "The Data Protection Act has implications for every type of business across the country and, whilst its implementation date is still uncertain, those responsible for all types of data processing should be taking stock of their procedures now. Our experience suggests that many companies do not appear to be taking measures in preparation for the Act and this could have dire consequences for individuals responsible for handling of data.''

The Data Protection Act stipulates eight basic principles and imposes a duty of care on individuals responsible for data processing. Conviction of an offence contrary to the Act can lead to a prison sentence and a fine of several thousand pounds.

The Act is expected to be fully ratified on 1st March 2000. Recent surveys suggest that between 75% and 85% of businesses have not made plans for the Act's introduction. This apparent inertia could well be due to the delay in the Act's implementation and the fact that there will be a transitional relief period to allow companies to make the necessary changes until October 2001 and a further six years to assist those holding manual records.

Nevertheless, organisations such as UKSSA are advising companies to undertake thorough audits of their data processing systems to define areas of responsibility and the procedures necessary to comply with the Act.

Among the Act's eight principles, those which could have particularly serious ramifications for companies stipulate that personal data should be relevant, accurate, kept up to date where necessary and that such data should not be kept for longer than the purpose it was intended for. In addition, the Act states that data should be held for a specific (lawful) purpose and shall not be processed in any manner incompatible with that purpose.

The Act is, therefore, extremely wide ranging and it is difficult see any data held in manual or computerised recording systems that will be exempt from scrutiny. It can include personnel records, client files, supplier information and a myriad of other types of data.

To reduce the risk of prosecution under the Data Protection Act companies will need to thoroughly review their existing filing systems, bring historic information up-to-date and dispose of records which can be considered as contravening the Act. It is here, according to UKSSA, that companies should be taking the greatest care.

''Strange as it may sound to many businesses, sorting out your filing systems and data processing procedures is probably less risky and, therefore, less onerous than disposing of obsolete files. A company can be confident in its own operations, the data disposal would invariably involve an external service provider at some stage or other and companies should make every effort to ensure they select a reputable supplier, '' says Riccalton.

UKSSA argues that disposal of confidential data, such as company records, should be treated as a separate issue to general office waste and trusted specialist companies which abide by strictly controlled performance standards. Failure to do so would not only risk embarrassment for the subjects of the data, but could cause untold damage to the reputation and viability of the company concerned, as well as risking prosecution under the Data Protection Act for those deemed to be data controllers, e.g. directors and senior managers.

Principal 7 of the Act states that ''appropriate technical and organisational measures'' should be taken to prevent unlawful processing and accidental loss of personal data, making it essential for a company to exercise care in disposing of such information.

Recent media reports have highlighted possible lapses in the handling of confidential documents among high street banks and health authorities. Whilst these have caused little more than minor embarrassment to those concerned, under the Data Protection Act 1998 the consequences for those responsible within the organisations could be far more severe.

Riccalton states, ''a responsible approach to data processing should include clear statements on disposal policies. Using reputable security shredding companies will assure organisations that confidential waste has been collected, destroyed and disposed of under secure, controlled conditions, reducing the risk of prosecution under the Data Protection Act and keeping reputations intact.

''With the Act forcing organisations to review their data storage arrangements and the likelihood of increased demand for secure destruction services, some could see the opportunity to make a fast buck. All organisations should make careful consideration of the service provider they choose. Reducing costs in the short run could prove to be expensive in the longer term!''.

  

Unted Kingdom security shredding association certificate