Businesses dealing with acutely sensitive financial or medical records, such as accountants and doctor’s practices, are often SMEs, where data security may be less formal, less developed and less documented. This combination of sensitive data and potentially lower security levels make these businesses particularly susceptible to data breaches.
Federal parliament is currently considering a bill which would require businesses to report any breaches of data for which they are responsible, both to their customers and to the Privacy Commissioner. This is likely to increase the direct cost to a business of a data breach, due to significant fines and the increased complexity of the reporting requirements. Such a breach would also – just as importantly – cost the business reputationally.
To paraphrase sections of this bill (see here, pages 7, 8, 15 and 17 for the full text):
“An eligible data breach happens if
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
The entity must prepare a notification statement of any such breach and give a copy of the statement to the Commissioner. The statement must set out
- the identity and contact details of the entity
- a description of the eligible data breach that the entity has reasonable grounds to believe has happened
- the kind or kinds of information concerned
- recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened.
The entity must
- notify the contents of the statement to each of the individuals who are at risk from the eligible data breach
- publish a copy of the statement on the entity’s website
- publicise the contents of the statement.“
The bar is about to be raised.
So, as part of normal business processes, it is critical that data is identified which is no longer required for business purposes or for compliance to data retention regulations.
Such data must be destructed – promptly, securely and (not least) auditably.
This applies to data kept as paper copies, as well as data on any computer storage media – hard drives, CDs, tapes etc.
Organising secure disposal of old hardware
Once you have collected your old computers and external hard drives to be destructed, as well as paper or other media on which copies of documents are stored, Confidential Shredding Co provides secure, compliant, efficient and hassle-free destruction of all forms of user information, such as
- External hard disks or entire old PCs
- CDs, X-rays and other electronic media and other non-paper storage media
- Paper records
We pick up your items slated for destruction, and issue you a Certificate of Destruction upon completion, providing you with auditable evidence of compliance.
There are federally mandated standards for the proper destruction or de-identification of personal information that may be found here.