Today we have a guest blog post to share with you from Chris at http://www.shreddingmachines.co.uk/
My parents and I were recently talking about ID theft and shredding over dinner. My father’s company purchased a Cross-cut Office Shredder from ShreddingMachines.co.uk to shred all sensitive information on site. This sensitive information includes corporate information such as invoices and pre-printed company letter paper but also the personnel files of his employees.
My mother works in the HR department for a much larger company so a vast majority of the documents that needed to be shredded relate to individuals who work at the company. This includes their names, addresses, home telephone numbers, bank account details and many other pieces of information that you wouldn’t want to fall into the wrong hands. I asked how this information was shredded and expected one of 3 answers:
1. Each member of staff has their own personalised shredder
2. There was a large centralised shredder for each department
3. A specialist company comes and does the shredding for them on site
The actual answer left me stunned. They got another company to shred all of her documents FOR FREE! They put all of the documents that need to be shredded into bags and then these are left in a room for the company to collect. The company would arrive every Friday to collect the bags and take them away with them.
I asked why the company didn’t charge any money for this service and was told that it was because they make their money from selling the paper. I asked how she knew that the paper had been shredded and she very proudly told me that they received a certificate through the post a few weeks later confirming that the paper had been shredded!
I could not believe what I was hearing. Sensitive information is left for over a week in bags marked “to be shredded” and are then collected by a company who makes money from the contents of these bags.
There are two problems that I can see:
1. Imagine someone broke into the property overnight and saw these bags. It wouldn’t take a genius to realise that bags marked “to be shredded” contained sensitive and potentially valuable information.
2. What is to stop the company who collects these bags from selling them to someone else and then providing you with a false certificate?
That is not to say that this particular company acts in this way. I have no idea of their name and they may be the most ethical company in the World. However why take the chance? If they could collect the paper and get $5,000 for the recycled value or sell the information for $20,000 then unfortunately there are some members of society that would choose the latter.
Do you know what happens at your company? In the UK companies must comply to the Data Protection Act. The important part is the 7th Principal that states that “Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data”. This is clearly not the case if your information is taken off site. In the US there is no equivalent legislation, however companies are encouraged to self regulate this to ensure that data does not fall into the wrong hands.
This has hopefully made you think about what your company’s shredding policy is.
IT IS OKAY TO ASK!!
It is your personal information that could be at risk and it is your identity that could be stolen so you are allowed to know what the process is. All companies should have a shredding policy in place. If they don’t then why don’t you put yourself in charge of creating one? If your Company has their information shredded off-site then show them this article and see if you can get them to change how they do things.
The golden rule applies in this case as it does with most things in life. If something sounds too good to be true then it usually is!