hard drive shreddingThe SRA and Confidential Information
The SRA Handbook is a document devised by the regulator for solicitors and sets out the standards and requirements that it expects their members to achieve.
The Handbook has a code of conduct that provides a practical guide for the regulated community to follow, this code of conduct is focused on outcomes and seeks to show how the 10 principles that underpin the handbook, apply in practice to the regulated community.
As data protection and information security professionals, Chapter 4 of the code of conduct is of particular interest. This chapter is titled Confidentiality and Disclosure, the opening chapter of which shows how important the regulatory body considers the protection of private information to be:
“Protection of confidential information is a fundamental feature of your relationship with clients.”
Two of the five outcomes that this chapter states the regulated community must achieve are;
“O(4.1): You keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents”
“O(4.5) You have effective systems and controls in place to enable you to identify risks to client confidentiality and mitigate those risks.”
The above two outcomes seem entirely logical and glaringly obvious, and many firms have in place robust systems to protect all manner of information whilst it is in use. We feel that when it comes to disposal of information however, the level of risk involved is perceived to have decreased due to the confidential of information being no longer required.
With the level of risk perceived to have decreased, some firms will look to dispose of old files via “paper recyclers” rather than a secure destruction service from data protection professionals. These companies will indeed take up the offer of a “FREE Collection Service” for old PC equipment, rather than opt for a hard drive shredding or destruction service for these information rich pieces of equipment.
We think that more attention needs to be paid to the risk involved at this stage of the lifecycle of confidential information, and so does the SRA Code of Conduct, which states as one of its Indicative Behaviours:
“IB(4.3) you only outsource services when you are satisfied that the provider has taken all appropriate steps to ensure clients’ confidential information will be protected”
In relation to the outsourcing of secure shredding services for regulated firms, we suggest the steps involved should be more than just the verbal assurance of physical destruction of the material that will be collected, and as a minimum the firm should receive;
- Signed Contract agreement for collection
- Method statement for destruction procedure
- Written information destruction policy
- Signed confidentially / non-disclosure agreement
- Signed destruction certificate
- Signed, dated and timed Waste transfer note at time of collection
- Offer to inspect destruction facility
- Record of serial numbers destroyed (hard disks/weee)
- Confirmation of Destruction to EN15713 (European Standard for information destruction)
These minimum levels provide clarity for both parties and ensure that the destruction process undertaken is done so in line with the appropriate security measures in place. In addition to satisfying the Outcomes mentioned previously, this level of information helps satisfy the principle seven of the Data Protection Act 1998, which states businesses must ensure;
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
For complete compliance it is essential that firms and practices have robust, secure, documented and auditable systems in place for the protection of data during the disposal cycle.
If you have any questions or would like to discuss implementing a secure data protection system yourself please do not hesitate to call us on 01388 448 160.
Have a great day.