Why Recycling Isn’t Enough to Protect Your Confidential Waste

Most businesses and organisations these days want to be ‘green’ – and paper recycling goes a long way towards hitting sustainability targets and demonstrating environmental good practice. For GP Practices, there’s also the matter of patient confidentiality and the secure disposal of confidential information that is embedded in legislation and the NHS codes of practice.

But do you ever wonder what happens to that confidential ‘waste’ – that meeting agenda with your colleagues’ names on it, that invoice you no longer need, that report that identifies information pertinent to the business – that you put in the waste or recycling bin?

Where do you think that paper goes? One minute it’s in your hands; the next, it’s a shiny new piece of paper, recycled and ready for use? Unfortunately, it doesn’t work like that. In fact, a document discarded in a desk-side bin or an open recycling bin is likely to face 50% more ‘touch points’ (opportunities for material to go astray) than one that goes through a secure document disposal process.

When you dispose of material in a wastepaper bin, there is no guarantee where your information could end up. If you're lucky, it'll be buried in landfill or in a recycling plant, never to be seen by human eyes again. If you're unlucky however, it could end up anywhere in the world, forming the basis of a stolen identity, for example. Once that document is in the bin, you have lost control of it - but one thing that you won’t have lost is your responsibility for that piece of information.

Confidential waste is defined as ‘waste containing personally-identifiable information or waste which is business sensitive’.

Under the Data Protection Act (DPA), you, as an individual, and your practice are responsible for confidential information that has been gathered in the course of business throughout its lifecycle. Although that piece of paper in the bin may not physically be in your possession for long, you are still responsible for it.

This could lead to serious repercussions for your practice. Try explaining to one of your patients who has just had their identity stolen that you didn’t realise you were doing anything wrong when you discarded a document with their personal details on it. Aside from the reputational damage that you could face, there is also a risk that you could get slapped with a hefty fine by the ICO.

The practice is responsible for making sure that confidential information is destroyed effectively, securely and in accordance with NHS policies and procedures. Previous breaches and the hefty fines imposed are evidence enough that this is to be taken seriously. Based on the official figures from the Information Commissioner’s Office, the official figure of 2,000 NHS patient records lost every day is likely an underestimation, since NHS staff are only obliged to report serious data breaches.

All manual records should be disposed of using effective office-based cross-cut shredders, or an external confidential destruction company (this includes any hardware disposals, such as PC hard drives or external data storage devices). External companies will supply secure disposal containers and will make regular scheduled visits to the practice to remove it to be destroyed on-site or at a secure location.

Often, data is disposed of in wastepaper or recycling bins because companies don’t have a strong data security policy in place that all employees understand and are aware of. Take some time to ask yourself these questions and see if there’s more you could be doing to protect your confidential information:

  • At what point does your confidential information become ‘waste’?
  • If your confidential information was ‘waste’, why would anyone want to steal it?
  • What could you be fined for?
  • What are your organisation’s internal procedures when it comes to information security (hard and soft copy)?
  • Are these documented or enforced and do all employees know about them?
  • When was the last time your information security procedures were reviewed and independently audited?
  • How do existing information security processes prevent sensitive and confidential information from entering the waste stream?
  • Are you certain that every employee in every location is fully compliant with the correct security processes? Would they all agree on the same documents being confidential?
  • What would the consequences of a data breach be for your organisation?
  • Who would be ultimately responsible for a data breach internally?
  • How compliant is your organisation with data protection policies, best practice and legislation?

Shred-it, the UK’s leading information security company, has resources online about IS responsibilities, the consequences of improper disposal and how a reliable shredding partner providing secure recycling can help. 

Created by FPM Group
FPM Group
With over 7,500 customers, First Practice Management is one of the UK’s largest providers of compliance software, expert training and HR support to health and care managers.

0 Comments

Leave a Comment

Your comment