Interview with Proshred Security

January 2004

Terry McQuay, President of Nymity, recently had an opportunity to speak with Ron Campbell the President of Proshred Security about secure data destruction.

Nymity: Ron, is the destruction of documents a security issue, or privacy issue?

Campbell: Both. Corporations must protect themselves from documents falling into the wrong hands.  This includes their customer's personal information which is covered under the Act. While the PIPEDA focuses on personal information, many of our clients have long understood the need for a secure information destruction system to protect both their business systems and to reduce the liability that an information loss may introduce.

Nymity: What has Proshred done in the area of privacy?

Campbell: We have been and continue to be actively educating our clients on privacy best practices and privacy regulations. Our Client Services personnel have been trained on privacy and on how to assist our clients. Also, our operational systems have been developed to fully support the "chain of custody" in order to ensure that all information is handled and destroyed in a secure way. Proshred became ISO 9001:2000 registered as a result of the processes utilized for information destruction.

Nymity: PIPEDA's Principle 5 - Limiting Use, Disclosure, and Retention states that "Personal information shall be retained only as long as necessary for the fulfillment of those purposes." What impact has this had on your clients?

Campbell: Our clients understand that some of their business processes will have to be changed. They understand that their old practice of keeping customer information forever is in conflict with new privacy regulations. They understand the need for a well documented retention and destruction policy; in fact we have assisted many in the development of such policies and procedures, thus reducing their risk and liability.

Nymity: PIPEDA Principle 5, section 4.5.2 states "Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods". Has this had an impact?

Campbell: Yes. Our clients who haven't previously had formal data management policies are now putting them in place. We are seeing a great deal more emphasis being placed on the day to day destruction of information as opposed to the storage of such material. In many cases the collected information can be destroyed soon after collection.

Nymity: PIPEDA Principle 5, section 4.5.3 states "Organizations shall develop guidelines and implement procedures to govern the destruction of personal information". How can your firm help?

Campbell: We have been helping organizations with the destruction of personal information for 18 years. Many of our clients have already adopted the policies similar to those in the Act for business reasons. Now that it is a regulatory requirement to destroy customer personal information we expect many more will look to industry standards and best practices, and will adopt appropriate retention and destruction policies.

Interestingly, we believe that many companies will see a cost saving by reducing the amount of unnecessary information they currently store. This should reduce the amount of records kept in back rooms, desks and storage facilities. Again Terry, we are seeing greater emphasis on the day to day material. If a formal file is created, there will be a need for a longer-term retention process, however much of the material we see created on a day to day basis can be destroyed right away. Once again , this reduces not only the risk and long term liability, but also the hassles that could be created under an access request.

Nymity: I understand that the destruction of customer data is a security risk, but now it is a legislative requirement. PIPEDA 4.7 Principle 7 - Safeguards 4.7.5 states "Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information. " Has this been a factor in your customer's data destruction processes?

Campbell: Our clients have long understood the security and liability risks of improper storage and destruction of all information. PIPEDA now makes it a regulatory requirement. We see an increase in demand for service as companies move to best practices and implement polices to ensure that they meet or exceed the law. It should be pointed out that this law has an impact on the governance issues facing companies and organizations today as now the liability of an information breach may sit with the Board. As the company CFO signs off on the monthly compliance certificate, they are ensuring to the Board that the company is compliant with all regulations and laws, which now includes PIPEDA as well.

Nymity: Are your clients concerned about their customers exercising their right under PIPEDA 4.9 Principle 9 - Individual Access to access their old information?

Campbell: The full scope of what is involved in access requests is generally not clear with our clients. They realize that they will be asked for customer personal information, but they don't realize that this could involve all information that has been collected, including the old files. 

Nymity: Do your customers know that their customers can demand that information be deleted if it is no longer required for the purpose for which was collected?

Campbell: No, not yet. We are doing our part to educate our customers of this and other elements of the regulations. I understand that there have been at least two cases in which the Privacy Commissioner of Canada has stated that a customer's request that information be deleted must be exercised. We have been recommending to our clients to go to Nymity's web site to best understand these types of Commissioner's decisions.

Nymity: PIPEDA Principle 1 - Accountability 4.1.3 states "An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party." Has this an impact on your operations?

Campbell: No. At Proshred we destroy documents at our clients' premises. No data is transferred to our locations. Therefore, third party contracts of this nature are not required. Also, PIPEDA expects companies to audit third party data management processes, but since we are onsite our clients need not be concerned with this requirement. That is why we do all of our work on-site under the complete control of the client. Their information stays in their control until destroyed, eliminating any risk of third party involvement, especially where sensitive personal information might be taken offsite. This is particularly important for the day to day material that has not be formally filed. Furthermore, the third party approach may involve the sorting of paper to improve the value of the recycling. While we are all sensitive to ensuring a good environmentally sensitive process, the risk of a breach dramatically increases each time a new pair of eyes crosses over the information. Companies looking to reduce their exposure look for onsite solutions that eliminate this risk. 

Nymity: British Columbia, Alberta and Quebec have privacy Acts that govern both the privacy of customer and employee information. Are your customers aware of these regulations?

Campbell: Quebec legislation has been in place since 1994 so our customer in Quebec are aware, but British Columbia's and Alberta's legislation has just taken effect in January of this year so we are seeing a great deal of activity in these provinces.

Nymity: In closing, what recommendations do you make to your clients?

Campbell: In short, if you don't need the information, don't collect it in the first place; if it has been collected and it isn't required, destroy it securely. Then, set up policies and processes to help ensure that your customer privacy is protected. Good data management policies reduce your risks and the risk of an investigation by one or more of the Privacy Commissioner's Offices. Lastly, we recommend our clients visit Nymity's web site and consider Nymity's privacy training program. We did, and we have found it to be extremely helpful.