Contact Us (905) 847-2583

Create And Implement A Document Destruction Policy for Risk Management: Records Management Services Guide Chapter 4

An information destruction policy is a must-have for any organization looking to safeguard its competitive position and stakeholder confidence. The most effective policies are part of an integrated information strategy: click here to get started now in forging sound risk-management measures.This article is part of the records management services guide: helping help readers understand what is the service and the best practices in using records management to make an organizational impact. Chapter 4 of the Records Management Services guide offers insights into creating an information destruction policy. Developing an effective information destruction policy includes the adoption of best practices along with industry-specific insights.

“I loved the service I got from Blue-Pencil. Fast, easy and no hidden fees. The technician name was Adam H. and he was very polite and professional. I’d definitely use their service again. Highly recommended!”
Click here for more customer reviews

records management system challengesWhy an Organization needs an Information Destruction Policy

Information destruction is a key step in ensuring compliance along with competitive or sustainable positioning. This is part of an organization’s approach to risk-management, limiting potentially damaging situations to the organization, its stakeholders, and reputation. Disposing of information appropriately and in a timely manner is the safest way to manage the risk of unauthorized information access. An information destruction policy can help, but it becomes even more effective when an integrated part of a comprehensive records management solution. Here are some reasons why organizations should consider having an information destruction policy.

  • To protect the personal information of its clients and employees
  • To comply with provincial and federal regulations to protect/destroy such information when it is discarded
  • To protect competition-sensitive information
  • To provide direction to all employees regarding acceptable methods for destroying discarded information in order to protect the organization, its clients, and its employees.
  • To ensure the organization understands that information security is everyone’s responsibility rather than that of a select few

Keys Components of an Information Destruction Policy and Best Practices

An information destruction policy has a number of key components including policy development/oversight, employee orientation & training, information destruction policy directory, information destruction procedures, qualification & selection of an approved service provider, and policy compliance. We will discuss each of these along with best practices for establishing each area.  We also provide expected time frames to develop each section and make suggestions regarding who to involve, based on a company of 50 people.

electronic file creation

Policy Development, Implementation, and Oversight – Establish accountability for each of the following areas of the information destruction policy: policy development, policy approval, orientation & training, contracting & purchasing, and compliance auditing review. Accountability helps develop a governance structure and reinforces ownership of specific areas to specific individuals.
Ensure that selected individuals are provided with a description of their role and an escalation matrix for when issues or cross-functional decisions may arise. Knowing what to do and who else can support them in their new role will make a lasting difference.
Expected Time: 2 weeks
Who to Involve:
 Information management leader (typically IT staff or someone with expertise in risk-management)

Employee Orientation and Training –  Provide baseline training on information security best practices as well as on-going training for employees. This includes simulations to demonstrate when to shred or dispose of sensitive information, or office challenges to ensure all desks are clear of sensitive information.
If your workplace has a learning and development coordinator, it is essential to have that individual be a part of the team for delivering content. Alternatively, a qualified consultant can also provide training in this field. It is important also to have employees recognize their responsibility.  Training and the signing of an acknowledgment document helps establish this trust and accountability.
Expected Time: 4 weeks
Who to Involve:
 Information management or enterprise learning coordinator

Information Destruction Procedures – The policy here identifies ways to destroy and dispose of different forms of information ranging from paper to electronic media. This section also provides an organization’s strongest evidence of due diligence, indicating to regulatory authorities that thought and planning is in place to safeguard personal information. Best practices here include partnering with a certified information disposal provider as centralization and economies of scale provide the most cost-effective solution. Having employees to test proposed measures is also a meaningful way of engaging employees to help with information security.
Expected Time: 24 weeks
Who to Involve:
 Operational staff, process developers, and technology support staff

Here is a video from NAID, an industry leader in standards and best practices on information destruction.

Blue-Pencil is a certified NAID service provider ensuring the best in class information disposal for clients across industries.

NAID-small-logo

Qualifications and Selection of an Approved Service Provider  Organize and establish the key qualities of an approved service provider and also expected outcomes. In a previous article, we detailed how to choose an information disposal provider and things to look for, including geographies of service and environmental stewardship qualities.  In this arena, identifying a service provider who can deliver a personal touch for your organization while having a big picture view into information management strategy is your best bet. Going beyond the minimum means having a partner who understands your industry will help you get the most out of the partnership.
Expected Time: 8 weeks
Who to Involve:
 Procurement coordinator/officer, process developer, and information management leader

Policy Compliance – Typically, significant analysis will be required here to understand the requirements of the regulatory authorities. We suggest you start here with an article on what PIPEDA compliance means to businesses. The fine balance here is to ensure there is representative in your organization corresponding to each regulatory requirement and application.  Organizations must find the balance between compliance and operational efficiency, as focusing on one over the other can be problematic. One approach would be to have an operational representative ensure realities of the business are reflected. This will provide for the development of informed procedures that will help meet requirements.
Expected Time: 24 weeks
Who to Involve:
 Regulatory advisor, operations leader, process developer

time frame of creating a policy for risk managementExpected Time Frames in Developing an Overall Policy

Developing the right information destruction policy takes time and requires cross-functional representation to be successful. This means that all departments from the organization need to be kept up-to-date and engaged for the policy to be effective. Typically, a small organization may take anywhere from 4-6 months to develop an information destruction policy, while larger public sectors find this process can take about a year or so to fully develop, including tendering processes for a service provider.

bullseye shotIndustry Implications for Information Destruction

There are a number of industry implications of information protection, and depending on what field your organization resides in (sometimes more than one), these are considerations that should be thought through when developing an information disposal policy.

Healthcare  Ensure personal health information release and use is fully audited to protect your organization against patient grievances. Disposal of personal information and personal health information need to be documented. To support proper diagnoses, clear guidelines must be provided to ensure the right information is available to healthcare staff for decision making and follow-up consultations.

Energy and Resources / Technology – Protection of intellectual property is a key competitive advantage. Ensuring that your intellectual assets are not exposed is just one of the main benefits of leveraging secure information destruction policy and procedures.

Consumer Products – Safe-guarding consumer confidence is a key focus for information destruction. Organizations should be aware of where consumer information, particularly contact or credit card details, are stored, transferred, and archived. These pools of information must be regularly purged or secured, placing information destruction as a key tool to be leveraged.

Public Sector –  Public sector servant are required to archive and retain information to support inquiries to establish public confidence in the responsible and ethical working of  any agency or crown commission. This means information destruction timing must be weighed very carefully. Public inquiries can cause long archived institutional records to be reactivated or restored, pointing to a need for centralized archiving.

For more information on our tailored solution for your industry, see here how Blue-Pencil can help you unlock the value of regulatory compliance and operational efficiency.

Blue-Pencil Helps Organizations Synergize Policy, Process, People, and Technology with Records Management to Deliver Value

Without a proven advisor, even the best strategies and technologies can remain disparate systems and organizations may remain at risk or suffer declining productivity. Our team focuses on helping companies ensure secure and effective records management across industries like government, healthcare, manufacturing, and small business.

NAID-small-logo

pipeda-compliance-info-destruction-1Expert advisor in strategic information management and proven hands-on experience
pipeda-compliance-info-destruction-1Ability to deliver compliance while managing organizational efficiency
pipeda-compliance-info-destruction-1Proven systems and methodology for managing information retention schedules
pipeda-compliance-info-destruction-1Training, resources, and support for your staff to become adept at information management
pipeda-compliance-info-destruction-1High standards in information destruction services with NAID AAA and Privacy+ certification

Sources:
http://info.aiim.org/how-to-achieve-best-practices-for-records-management

Records Management Services Guide