Privacy Compliance: Document Destruction - Shredding

Secure destruction of documents is mandated by all of the 23 privacy laws in Canada including the federal private-sector privacy law Personal Information Protection and Electronic Documents Act (PIPEDA). These privacy laws require organizations to develop guidelines and implement procedures to govern the destruction of personal information. Privacy laws require records be destroyed in such a manner that the reconstruction of the records is not possible. For example, Ontario's Personal Health Information Protection Act, (PHIPA) states: " “disposed of in a secure manner” does not include, in relation to the disposition of records of personal health information, the destruction of the records unless the records are destroyed in such a manner that the reconstruction of the records is not reasonably foreseeable in the circumstances."

Secure destruction goes beyond privacy laws, it is mandated in many codes and standards, for example section 8.2 of the Generally Accepted Privacy Principles (GAPP) mandate securely disposing of waste (for example, shredding) and the Payment Card Industry Data Security Standard (PCI-DSS) mandate shredding of the cardholder data.

There are many privacy cases that have resulted from organizations not implementing effective programs that include securely shredding personal information. In a breach reported to the Privacy Commissioner in Alberta, an open garbage bag of completed insurance forms was found outside an Insurance Brokers office. The brokers had intended the information to be recycled, but it ended up being disposed of in a garbage bag. The Commissioner's office found that disposing of personal information without first shredding it was not a reasonable safeguard and contravened Alberta's privacy law.

In another incident in Ontario, documents containing personal health information were destined to be recycled but ended up being used for other purposes. The Commissioner's office issued an Order against the company which included provisions mandating secure disposal which must consist of permanently destroying paper records by irreversible shredding or pulverizing, thus making them unreadable. Further steps must be taken to ensure that no unauthorized person will have access to the personal information between the time the records leave the organization until their actual destructions. The Paper Disposal Company was ordered to have written contractual agreements in place and provide an attestation confirming destructions.

Secure destructions can be problematic due to sheer volume of paper and the number of people that could handle documents. Improper data destruction is one of the top privacy risks for organizations and with the expected changes to privacy laws that will mandate breach notification, this risk will dramatically increase.

Privacy Review: Cintas Document Shredding Services

Cintas Document Shredding Services allows organizations to maintain compliance by shredding documents that contain personal information. Cintas services include both on-site and off-site shredding. On-side shredding ensures the chain for custody has not been broken as on-site secure shredding allows the organization to witness the destruction. Some organizations may find on-site destruction necessary for sensitive personal information although privacy law and privacy precedent has not yet dealt specifically with on-site versus off-site shredding.

Privacy precedent has established that organizations select reputable companies with proven procedures, have contracts in place with these organizations and in some cases audit the shredding companies processes.

Cintas provides off-site secure shredding facilities which meet international standards. Cintas provides full chain of custody from pickup to baling and recycling. There shredders meet or exceed international standards and government standards for secure destruction. Cintas also provide a certificate of destruction once the shredding is complete, which again is recommended by privacy commissioners.

Cintas is a member of and is certified by the National Association for Information Destruction (NAID) . NAID members must follow a code of ethics and by-laws which include such provisions mandating members abide by all privacy laws.

Cintas Privacy ROI

Privacy laws mandate personal information be destroyed securely, there is no option, companies must invest. To calculate the privacy return on investment (ROI) an organization should compare the costs and risks of shredding in-house to the cost of outsourcing document destruction to Cintas (Cintas also destroys CDs, Tapes, DVDs). The in-house costs of shredding are reasonably straight-forward as it includes the capital cost of the shredders, the maintenance costs and labour cost of shredding.

Risk is a factor of the:

• quantity of documents to be shredded
• sensitivity of the information in the document
• number of locations
• maturity of your data management processes
• quality of your training programs
• number of audits conducted
• brand visibility of your organization,
• number of employees handling documents.

The privacy risks must factor in the likelihood of an employee always following organizations procedures even when volumes are high or timelines are tight, employee mistakes and the use of part-time employees. The impact of a breach can by costly due to reputational damage, legal costs, breach notification costs, and increased operational costs.

Note: Privacy ROI is only one factor in the total ROI when selecting Cintas Document Shredding Services.

Next Step

Contact Cintas to understand the specific benefits of their document shredding services to your organization. Based on these benefits, calculate the privacy ROI and the total solution ROI. If you would like assistance calculating the privacy ROI, contact Nymity, and we will provide free unbiased assistance.

• Strategic Alliances
  • Research Contributors
  • IAPP
  • PrivaWorks Real Risk Study
  • USCIB
  • US Privacy Solution Reviews
  • Canadian Privacy Solution Reviews
    • Breach Management Services
    • Do-Not-Call
    • Cross Border Legal Services
    • Data Leakage Protection
    • Document Shredding Services
    • EHR Legal Services
    • PC Data Protection
    • Privacy Breach Insurance
    • Privacy Filters
    • Training Employees
  • Privacy by Design
  • The Future of Privacy
  • The Ponemon Institute
  • Carswell

• Free Privacy Maps
• Privacy Research Tools
• Visit Customer List