|
|
|
FREQUENTLY ASKED QUESTIONS ON CONFIDENTIAL SHREDDING |
|
| UK Tidy - the Confidential Shredding Service division of On Time Secure Destruction | |
| [UKTidy/inc_bar1.htm] |
|
|
|
The On Time Secure Destruction Group Finance Director, a former Head of Internal
Audit of a large plc, asks the question "does complying with legislation
add to bottom line value"? "Organisations can not get away from the need to comply with legislation. For confidential waste there is a range of legislation that all businesses (and their officers and owners) must comply with, most well known might be the Data Protection Act 1998, the statutory Environmental duty of care for proper disposal of waste and other regulations such as health & safety manual handling of heavy loads regulations. Every business, large or small, needs an effective and enforced policy towards old hard copies, CD ROMs videos etc. A Finance guy will tell you risks that are not managed effectively will ultimately back-fire and undermine the profit and loss -- cutting corners to save costs in the longer run is not good business. For example, any person on whom an organisation keeps information (employees, suppliers, clients) can send a cheque for just £10 and issue a 'Subject Access Request' (SARs). The organisation has 40 days from the time payment is received to provide the person with access (usually as photocopies and printouts) of any documents where the person can be identified -- documents need not directly state the person's name and need not be about them e.g. where the person is a 'cc' on a memo or email such documents must be provided under a SAR. Ask an employment solicitor and you will find that it is common place for ex-employees to issue SARs. This can and does impose an enormous burden on those who are unprepared and can disrupt operations whilst teams are diverted from their day jobs to sift through old archives to find and copy documents. In fact, it is such an effective weapon that most unprepared employers settle with the ex-employee instead. There are ways to fend off SARs, such as claiming that complying with the SAR would result in 'disproportionate effort' or that documents can not be disclosed without breaching one of the Data Protection Act principles (an example would be where documents identify several people the identities of whom, even after using tippex can not be concealed and the people identified do not consent to having their identity disclosed). Such tactics are unlikely to prove a reliable defence where documents have not previously been effectively managed -- typically, it is those companies with less well controlled archives who wait until close to the end of the expiry of the SAR's notice period before reacting leaving themselves little time to deal with the problem. And there is the spectre of a law suit -- ancient archives become discoverable to plaintiffs. In the real world, poorly kept records can cost multiple years of accumulated profits. A bye-product of complying with the Data Protection Act is that the risks associated with poorly maintained records are mitigated or avoided i.e. in the long run, value is added by complying with legal requirements. Although the benefits of complying with the law may not be visible to the management team in day to day operations, the benefits are likely out weigh any additional administrative costs of keeping tidy controlled archives. Best practice is to appoint a part or full time Data Officer to oversee document management policy for the whole business. Whilst there is an overhead associated with this, the Officer can take a high level overview and make recommendations to management that most efficiently coordinate the activities across a business." |
