Having a sensitive information destruction policy and procedure manual can help organizations remain competitive, safeguard stakeholder information, and avoid extended inquiries or penalties from regulatory agencies, all of which can be harmful to an organization. Our team at Blue-Pencil continues to help clients stay ahead of pitfalls in working with sensitive information. Click here for an assessment of your organization’s document security level. This article covers how to determine whether your organization requires a policy for information destruction, followed by details on what a policy or manual is and steps for creating it.
Here are a number of questions to ask in order to determine whether your company will need an information destruction policy. The focus of these questions is to help organizations identify their need for a policy before harmful results are encountered due to inappropriate or ineffective procedures in dealing with sensitive information.
1- Is it clear to all employees what is considered to be sensitive information by your organization ?
If you answered “NO,” it is recommended you create a sensitive information destruction policy. If your organization cannot ensure that all employees are aware of what is sensitive information and procedures for handling it there is a risk of exposing confidential information to competitors, harming your clients and stakeholders.
2- Is it clear who is responsible for understanding regulatory requirements for information disposal and managing compliance?
If you answered “NO,” it is likely your organization is exposed to risks in working with sensitive information. Without clear accountability and a champion in your organization to help manage regulatory compliance, there is a significant risk of your organization incurring penalties or legal sanctions. Having a policy and manual in place helps provide guidance on the roles and responsibilities of staff in helping an organization operate in compliance with regulatory requirements. See here for more information on sensitive information management for businesses and organizations.
Residential and commercial clients continue to make Blue-Pencil their go to providers in information destruction. Here is what a recent customer has to say about Blue-Pencil:
Our company has utilized Blue-Pencil for the past 6 years for their secure shredding service. They are efficient, reliable and their teams from head office along with the service technicians are highly professional & a pleasure to communicate with. We would without hesitation, recommend their services, they will not disappoint. – Caroline
See here for more reviews.
3- Is it uncertain when and how sensitive information should be disposed of?
If you answered “YES,” it is likely your organization is retaining sensitive information that is no longer required. Knowing when and where information should be destroyed aids is the first step in the disposal of sensitive content. Without an up to date policy and manual, sensitive information may be inadvertently available to unauthorized viewers, impacting the credibility and well-being of stakeholders (i.e. client billing details).
4- Are there contingencies in place for sensitive information breaches or leaks?
If you answered “NO,” when risks become issues, an organization can be proactive in limiting damages incurred. No organization plans to divulge sensitive content to unauthorized parties. An extended information disposal policy can also provide measures in managing the fallout of information leaks and breaches, limiting damages and costs incurred.
5- Is your organization confident in its information disposal service provider or processes?
If you answered “NO,” disposing of information without a secure process or service provider can still leave your organization at risk. Having your process and organization certified, or contracting a service provider can mean the difference between wasted work in disposal versus an effective safeguard for managing information. A policy helps define and ensure the effectiveness of disposal processes conducted by an organization or its service provider .
A Sensitive Information Destruction Policy seeks to support an organization in accomplishing the following:
- Protecting the personal information of its stakeholders and staff
- Complying with provincial and federal regulations to protect/destroy such information when discarded
- Protecting competition-sensitive information
- Providing direction to staff regarding acceptable methods for destroying discarded information
A Sensitive Information Procedure Manual helps provide processes, guidelines, and expected outcomes for enacting and applying the material put forth by the Sensitive Information Destruction Policy.
If an organization is uncertain of an information asset’s sensitivity profile it is recommended that it be disposed of. Organizations often underestimate the number of documents that can pose a risk, due to limited awareness of the sensitivity of the content. An organization, in reality, produces sensitive information from all of its departments, despite conventional knowledge pointing to HR and Marketing departments as the top areas to be safeguarded. Here is an excerpt from a fact sheet published by Blue-Pencil on recommended documents for shredding:
- Employee appraisals
- Training information
- Customer and vendor contracts
- Demand and planning reports
- Executive communication and strategies
It is recommended that organizations take a proactive approach in disposing of sensitive information. The best approach would be to shred all documentation in which the use and sensitivity exposure level is not clearly understood.
What are Steps to Creating a Sensitive Information Destruction Policy & Manual?
An organization must be aware that safeguarding sensitive information is not a one-time exercise but a process that involves all staff members. These steps can help an organization begin its process of moving forward as a proactive and risk-mitigated entity.
- Outcomes – Identify objectives of the Policy & Manual
- Accountability – Assign an individual(s) who will be accountable for evolving and enacting the Policy & Manual
- Requirements – Determine requirements that must be in place for information disposal from stakeholders (regulatory, executive staff, clients, and service providers)
- Master List – Define a master list of sensitive information assets
- Process – Establish processes to ensure secure handling and disposal of sensitive information
- Metrics – Determine metrics to quantify effectiveness of the policy and manual
- Timing & Execution – Establish timing of audits, execution of processes, and revisions to the policy and procedures manual
- Refine – Review and revise the policy to ensure safeguards for technological and regulatory changes
- Contingency Plan– As an appendix, resolve to establish procedures and a communication matrix for incidents involving sensitive information
The time it takes to create and maintain a Policy and Manual will differ for each organization. Typically a Policy and Manual may be created within 4-6 weeks (based on dedicated resources available for a small business). Operation and review of the policy will require a part-time contribution from a team member responsible for information management having regular contact with various departments that participate in the information destruction policy. If you are interested in creating a Sensitive Information Destruction Policy , see here for a template to get started immediately.
Blue-Pencil offers market leading know-how in information destruction and helping your organization in mitigating risks with handling sensitive information. Our team works with clients across industries and has practical insights into how regulatory requirements compliance can support, rather than impede your organization. See here to request a free consultation with our team.
Blue-Pencil is an information security company that has been serving the needs of clients in Canada since 2004. We have grown our document security business over the past 10 years, serving more than 6,000 organizations including small and medium-sized companies as well as Fortune 500 businesses. We have recently launched two new divisions; Documents Storage and Records Management division and Document Imaging and Scanning Solutions division. This allows us to offer full circle, comprehensive solutions for information security management. We service the GTA and surrounding cities – click here for a full list of our service areas. If you’d like to learn more about us and what we can do for you contact us today!