For the London Free Press – May 26, 2007

Read this on Canoe

We need to pay more attention to how we handle documents containing personal information. We constantly see stories about data breaches – many of them from simple faux-pas like throwing paper in a dumpster.

Recently in Toronto, a retired social worker found hundreds of order forms from a large corporation in an alley complete with addresses, phone and SIN numbers of customers. They were apparently put there by an independent dealer of the corporation.

Just a week earlier, a company in Texas was sued for throwing out customer information where anyone walking by could just grab it. The customer information included credit card and social security numbers.

In Atlanta, a computer disk containing the names, birthdates, and social security numbers of 2.9 million Georgia low income health care recipients was lost. The sensitive information was contained on a CD that was apparently lost while it was being shipped.

The proper disposal of paper records is a simple issue to address. It’s so simple, in fact, that it’s amazing to see it come up repeatedly. Businesses need to impress the issue on its staff. Individuals must be more aware that the paper they handle must be protected.

The default thought process should be to securely shred all paper when it is no longer needed. Make exceptions for innocuous things like newspapers. Far too often paper is considered like normal trash first, with the shredding issue being an afterthought. That’s the wrong mindset.

Treat paper like hazardous waste. It must stay sealed in its container at all times. Get rid of it as soon as you can in a way that keeps it out of the environment, with no chance of public contact during the disposal process until it is neutralized.

To start, don’t create or keep paper records to begin with unless they are necessary. And don’t print information that is not needed — like credit or debit card numbers on receipts.

Store them in a secure, safe place if they are needed. When it comes time to dispose of them, shred them properly. Don’t leave them in a dumpster. Keep the records secured while waiting to be shredded — don’t leave them in boxes on a loading dock.

If you are a small operation, invest in a decent cross-cut shredder. There are also service providers that come to your premises with a truck that shreds the material on the spot.

Think twice about shipping or transporting discs or hard drives containing personal information. There may be a better way to transfer the information. And if it must be done, encrypt it so if it does go missing, it can’t be read. Various privacy commissioners take the position that mere password control access is not enough.

Taking these simple steps will go a long way to protect privacy and reduce the risks of fraud and identity theft. It will also reduce the risk that your organization will have to face the embarrassment, costs in both dollars and time, and the privacy investigation that will occur if those documents get loose.