Customer Misconception: Recycling is Adequate – Selling Information Disposition by the Book (vol. 5)
By Bob Johnson
Of all the misconceptions, that put clients at risk and minimize the role of service providers in protecting clients, mistaking general unsecure recycling as a substitute for secure destruction is among the most disturbing.
As Information Disposition explains on page 125 of Chapter 6: Secure Destruction Methodologies:
Reducing paper media to pulp is a very thorough method of destruction. However, because the process is most generally available only at large-scale paper mills, where data protection is not mission-critical, the overall process lacks the necessary security controls. The pulping process performed at paper mills, therefore, falls far below the level of security that would be considered minimally reasonable by data protection compliance standards. Those attempting to convince customers that large-scale pulping operations are suitable for providing secure destruction are either hoping to play on client ignorance or demonstrating their own lack of knowledge. While there are instances in which data controllers have been tempted or tricked into accepting pulping as a method of destroying paper media, it is not appropriate without the proper employees screening, training and acknowledgements, access control, acceptance of fiduciary responsibility, written data protection policies and procedures, or contractual linkage to security or regulatory compliance.
Electronics Recycling: Thankfully, on the whole, most customers realize paper recycling does not provide adequate security or regulatory compliance, and so, it remains less of a misconception than in past decades.
On the other hand, there are still organizations that look to basic computer recycling to meet their data protection requirements, they are not even thinking of data protection as their primary imperative when they dispose of obsolete IT equipment.
For instance, a few years ago, the Toronto Sanitation Department ran a television advertisement advising residents to put their old computers at the curb for collection. When the Information and Privacy Commissioner of Ontario discovered this, the ad was pulled immediately. The point is, the security (or vulnerability) of the personal information on those sanitation officials was not even a consideration. This same mentality is apparent in business as well.
Of course, as discussed earlier, the importance of vendor qualifications that need to factor heavily into selecting a data destruction vendor are stressed throughout the text of the book. In addition, and more specifically, the need for detailed quality control measures related to computer recycling companies as outlined on page 122 of Chapter 6 are critical:
Quality Control for Electronic Erasure Processes
Because neither overwriting nor degaussing change the appearance of the media to which they are applied, quality control procedures are critical to ensure the reliability of these processes.
Quality control starts with written procedures describing the steps and flow of materials through the stages of the process. Written procedures 1) demonstrate that due diligence has been afforded the process, 2) provide for the appropriate training of qualified technicians to comply and conform to the instructions, and 3) establish a method of organizational and individual accountability.
The section goes on to outline in detail the steps and measures to be employed in a defined quality control publication.
Any service provider, looking to impress the importance of vendor qualifications and quality control in order to confront the misconception that recycling is a legitimate option will find plenty of ammunition in Information Disposition.
May 16, 2017