How to Develop a Data Destruction Policy for Your Company
Proper data management is the key to protecting the security of your company’s sensitive information. In fact, companies are responsible for generating, storing, and securing sensitive data such as financial information, transactions, personally identifiable information, medical information, and more. In addition to the moral & logical responsibility of protecting this information, companies also have a legal obligation to keep sensitive data secure. It is very important for any reputable company to have a Data Destruction Policy in place so that all stakeholders know what to handle the sensitive information they come across during the course of their work.
First, let’s discuss some of the common laws & regulations that govern data destruction in corporate & other business settings. Each of these laws & regulations will have their specific guidelines for compliance.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA, or the Health Insurance Portability & Accountability Act, is the US privacy law that protects the medical information of patients against fraud and theft by third parties that are not permitted to access it. The text of the law states, “Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI” [45 CFR 164.310(d)(2)(i) and (ii)]. By incorrectly destroying this sensitive data, you would be in breach of HIPAA. The law does not designate a particular disposal method, however by partnering with a certified Data Destruction specialist like Arrow Scrap, you will be ensuring your compliance with the law and protecting your patients’ sensitive medical information.
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act of 2002 is a federal law that dictates the standards that the board of directors of any domestic public company must follow in order to properly handle financial information and financial reporting. The law requires a public company create a commission within the company to develop and enforce internal control policies. By complying with SOX, a company ensures that all financial information & reporting that relates to the organization is secure – while it is stored & even when it is disposed of.
The Gramm–Leach–Bliley Act establishes the consumer privacy laws that financial institutions must follow. Major components of the law include the Financial Privacy Rule & Safeguards Rule, these rules in tandem include developing a written information security plan that your company must abide by when storing and destroying consumer information. By contracting with a company like Arrow Scrap, we can ensure your compliance with the GLB Act by properly disposing your sensitive consumer information and providing a complete chain of custody audit that the law requires for compliance.
Fair And Accurate Credit Transactions Act (FACTA)
The Fair and Accurate Credit Transactions Act establishes consumer protections that a variety of organizations in the financial services sector must follow. Among those companies that must follow FACTA are Lenders, Insurers, Employers, Landlords, Government agencies, Mortgage Brokers, Automobile Dealers, Attorneys, Private Investigators, Debt Collectors and more. If your company falls in this list and/or deals with consumer information, then your company must be in compliance with the data security measures dictated by FACTA.
FACTA specifies the following methods of disposal: burning, pulverization, or shredding of papers, destruction of electronic files such that the files cannot be read or reconstruction, & the due diligence of hiring a document destruction contractor that will ensure the company is in compliance with the rules.
Next, let’s plan for your company’s compliance with the law or regulation you are subject to.
- Institute a Data Destruction Policy
Review the regulations that govern your industry and plan for full compliance. Design your workplace and company so that compliance with the regulations becomes second nature for your employees.
- Ensure Records are Digitized
Wherever possible, keep a digital record of your paperwork. While many regulations and laws require retention of hard copies for a specific length of time, it is easier to manage the long term preservation of these records if they are digitized immediately in a secure manner and kept long after the hard copies are destroyed. Digitized records are less likely to go missing and with most professional records management software, you can be alerted immediately to any breaches.
- Use a Records Management Software
Records Management Software allows companies and groups to systematically control data within their organization. They reduce human error and make it easy to maintain accurate records by creating an organizational system that makes retrieval (and yes, eventually destruction) a workflow process that is predictable and repeatable. Investment in a good Records Management Software is key to protecting your data.
- Inform & Train Stakeholders
This sounds like a no-brainer, but do not take it for granted that stakeholders within your organization will know how to manage data. Every point-person needs to be trained on the regulations and requirements related to data in your industry and your organization’s Records Management Software and other workflows. While tools reduce human error, humans are still using the tools and need to know their importance in keeping data secure. This step is crucial in reducing your liability and remaining compliant.
- Partner With a Reliable Data Destruction Company (like Arrow!)
The importance of reliable data destruction is paramount in your data plan! Partner with a company that is certified by R2-RIOS and are members of NAID. Certifications and Industry-membership are excellent ways to ensure your sensitive data can be entrusted with an data destruction partner.