Critical Information: Dispose of Carefully
Your firm must protect its customers’ and employees’ confidential information while also mitigating its risk profile. Take these steps to develop an information management plan that includes efficient, compliant disposal of physical and electronic information.
DID YOU KNOW? Nearly 40 percent of organizations surveyed by Iron Mountain were uncertain about what’s in their own information coffers or how to deal with it.
FAST FACT: 53 percent of businesses participating in Iron Mountain’s 2012 Benchmark Report said they systematically destroy paper records in accordance with set destruction dates.
Here’s an information management riddle for you: What do a box of old partnership contracts from the 1990s and your cousins, the eccentric family of competitive baton-twirlers who come to visit every Thanksgiving, have in common?
Answer: Much like your cousins, those contracts end up taking up too much space and cost you more than you bargained for.
OK, we don’t mean to disrespect your family—after all, they’ve won quite a few baton competitions. But it’s true: Any solid retention program has on its flip side a plan for destroying and disposing of information that’s outlived its usefulness to your core business. This plan should also apply to information you’re keeping on file to satisfy regulatory compliance requirements.
Managing Without a Safety Net?
Many respondents to A View Into Unified Records Management: The Iron Mountain Compliance Benchmark Report weren’t even sure what’s in their data stores, much less when or how to dispose of it.
Are you in the same place? Keep in mind that without a solid disposal and destruction plan, your information can fall into the wrong hands and greatly compromise the privacy of your business partners, employees and customers. And in some cases, information that you should have disposed of but kept around “just because” may become legally discoverable and work to your disadvantage. Neither scenario is healthy for your business—especially in these tumultuous economic times.
Regardless of where your organization lands on the information disposal continuum, it’s never too late to clean house. By doing so, you’ll gain space and increase efficiencies. The next time you have an obscure information request, you’ll have less information to search to get what you need. That’s a serious boon to audits and discoveries.
Turning Green About E-waste?
A disposal program gives your organization an opportunity to become a good environmental steward. Sure, shredding and recycling paper is almost an obvious (and wonderful) effort. But what about the proper disposal of unneeded or outdated hardware?
Did you know…
- The Environmental Protection Agency estimates that 2.37 million tons of electronic waste—everything from laptops and cellphones to printers with hard drives—awaited destruction in 2011?
- This waste, if left unmanaged, poses environmental threats, since it can contain harmful elements like lead and cadmium?
As a responsible esteward, your company could work with a trusted partner to recycle many of these components into new devices. That’s a true win-win situation for all involved.
Don’t Curb Your Enthusiasm
So you’re ready to get working on a better plan than dragging bins of old records to the curb. What does it take to get more efficient and compliant? Follow these steps to ensure a safe and comprehensive disposal program.
Step 1: Get to know your records—all of them. A majority of the Benchmark Report’s respondents—61 percent—could identify their inactive records. But do the math: Nearly 4 out of 10 businesses surveyed were uncertain about what’s in their own information coffers and how to handle it once labeled.
Social media information often poses an additional problem to organizations already having trouble with more conventional physical and electronic media. Many play it safe by saving every post and tweet. That’s counterproductive. Give some thought to each type of information in this category and add them all to your destruction schedule.
Step 2: Discover—and vanquish—your vulnerabilities. Use the process of establishing a disposal program to illuminate and eliminate your company’s information weak spots. And be prepared to find them in some unlikely places, as did one customer in the healthcare industry. A few years ago it realized that its disposable lunch trays carried identifying personal information. This made routine destruction of those trays as critical as safely disposing of information in file cabinets and hard drives.
Step 3: Cozy up to the law. It’s critical that you know and understand regulatory requirements. Federal and state laws such as the Health Insurance Portability and Accountability Act (HIPAA) mandate proper destruction of information, as do state laws including Massachusetts 931, which calls for electronic media “to be destroyed or erased so that personal information cannot practicably be read or reconstructed.”
Step 4: Become a policy (and training) wonk. Set a policy for proper destruction and enforce it. Let the type of records you’re handling, your risk-exposure level and your industry’s compliance landscape inform your policymaking. And make sure that you train employees in proper disposal techniques.
Here’s an interesting slice of reality in this area: 60 percent of companies surveyed in the Benchmark Report said they shred some of their paper records. However, they admitted to not having a formal policy or process that they’ve trained employees to follow.
Step 5: Build a destruction turntable. The Benchmark Report shows that 53 percent of respondents systematically destroy their companies’ paper records in accordance with set destruction dates. Regular destruction of information can prune your files and provide efficient access to data possibly needed for discovery, audit and regulatory obligations.
Much like hosting those boisterous relatives, safely shepherding information through the end of its life and into the recycle and reuse pile may call for exceptional expertise and resources that go beyond what you have under your roof. A trusted partner can safeguard your sensitive information and identify and plug holes in your processes and policies. It will also give you much-needed peace of mind, as well as the assurance that your disposal program aligns with your commitment to go green.
Iron Mountain Recommends: You, the Policy Expert
For your destruction policy to work, your colleagues must understand it, embrace it and take responsibility for their roles in it. Before putting your program into practice, be sure to:
- Conduct an enterprise-wide rollout, including employee education. Your corporate records manager should initiate this, while soliciting support from your steering committee and records administrators at the business-unit level.
- Maintain ongoing assessment and accountability procedures for the confidentiality of information as it’s destroyed.
Do you have questions about information management? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s Information Management team. You’ll be connected with a knowledgeable product and services specialist who can address your specific challenges.
Retention Schedules: The Golden Thread of Compliant Information Management
Records Management: Bridging the Execution Gap
Repaving Your Rocky Road to Ultimate Preparedness