Customer Misconception: Particle Size is the Only Thing that Matters Selling Information Disposition by the Book (vol. 9)
By Bob Johnson
In Chapter 6: Secure Destruction Methodologies, the section Process/Particle Size Standards, Guidance and Requirements most directly confronts this misconception starts on page 132:
In navigating their responsibilities, requirements and options for information destruction, data controllers are understandably interested to know if the materials they wish to destroy are subject to a required particle size specification. In truth, however, outside of government classified NSI, where the data controller is legally bound to a particle size, PHI and PII, the types of information most organizations discard, are not subject to any prescriptive regulatory particle size requirements whatsoever. (see Reasonableness in Chapter 1). As for competition-sensitive information, particle size preference is completely left to the data controller, insofar as they are subject to no form of regulatory obligation.
The section goes then to describe how in years past, when media was destroyed in-house, particle size was the most critical issue, but how, with the advent of outsourcing, as the most common means of data destruction, there are many other factors that equal or surpass particle size in importance.
Later in the same section, there is a warning regarding the dangers of turning to non-governmental particle size specification recommendations:
Unfortunately, in the search for some direction on this particle size, data controllers sometimes mistakenly interpret and/or apply standards where they are unnecessary or, worse, where reliance on particle size provides a false sense of security. In any case, but especially when information destruction is outsourced, the overall process is the critically important factor. Particle size is simply one aspect of that process. The problem with relying only on particle size guidance is that the more important factors (the written procedures, the training, the employee screening, the secure staging, the custody transfer, the access control, and the disposition of destroyed material) are often ignored.
Though it may sound a bit cavalier; if particle size were the key to compliance, compliance could be met using unscreened, known criminals on a vacant lot in the most crime-ridden neighborhood in town.
The fact that no data protection regulation includes a prescribed particle size is also the subject of discussion in Chapter 1, where the requirements of each regulation are described in detail.
Get your copy of Information Disposition today >>
June 12, 2017