Yesterday a news story broke here in Ireland, where it was reported that paper records relating to patients of a public hospital, north of Dublin, were found on the side of the road.
Every now and again these types of stories come to light, and inevitably they are front page on the national media.
The health sector is very paper heavy. Anyone visiting a public hospital in the UK and Ireland can easily vouch for this, where piles of paper records are found, often times stacked in a corner in a waiting room, or even a ward.
Personally, I find this approach always unsettling with sensitive personal data left unsecured, and in many cases unneeded, lying in a public location for anyone to remove from the building.
As a reminder about current legislation, the loss of a single record of sensitive personal data involves a mandatory report to the relevant Data Protection Commissioner/Regulator.
There are many points which we can raise around security of the data, but in this article the primary takeaway point is the need to ensure that appropriately defined data destruction policies are in place and in practice.
Once data passes its required date, all organisations should put in place appropriate destruction procedures.
For manual data this involves shredding. This activity should be regular and where possible, onsite. We are certainly aware of circumstances where manual records were removed for destruction, but ended up falling from a truck unto the side of a road.
Putting in place a process whereby manual records can be removed safely, and appropriately shredded, onsite, whether through the use of a cross-cut shredder, or the professional services of a third party, is vital. This is particularly important where the organisation is paper heavy.
Ensuring your organisation is setup to regularly and efficiently destroy paper records, will go a long way in mitigating the possibility that you do end up in the same unfortunate position which a public hospital in Ireland found itself this week.