These days it’s very rare that you get offered something for nothing.  It’s exceptionally rare for a business to be offered a free service which could save it hundreds of thousands of pounds.  So why then, is it that the take up of a free data protection audit from the ICO (Information Commissioners Office) has been so poorly received by the private sector?

From 2010, Small businesses across the UK can now be fined up to £500,000 in the event of a data security breach.  The ICO had previously only had the power to levy a fine of £5,000 to companies and individuals for serious breaches of the Data Protection Act, but these new measures are expected to act as an effective deterrent to improve data security within the UK economy.

In 2009, 41% of companies in the UK reported severe breaches in data security.  These breaches can come from internal sources or from external attack.  In 2010, 7Safe, an information security and forensic computing consultancy company, said that this figure had increased to 66%.  According to the research, 80% of attacks on data came from sources external to the organisation, while 18% came from business partners.  It seems that businesses are simply not seeing the severity of not managing their company documents effectively with stringent data security policies and comprehensive training of their employees in compliant records management practices.  It might sound really petty, but holding onto data too long, disposing it too soon or failing to provide documented evidence of its disposal are all reasons you could be fined.  Under this new legislation even CDs, DVDs and hard drives are covered.  “Well, I’ll just hold on to everything – just to be safe”,    I hear you say.  Well, actually, no, this too can be a breach.  Simply holding onto everything as a safeguard will not work and can easily result in you being fined.

You might also think that a fine of £500,000 is only reserved for the large organisations.  Again, you would be wrong.   Any size company can be fined, and already have (the ICO’s annual report includes some very good case studies) however, it is the small businesses which seem to not place enough importance on records management which causes them to fall foul of the Data Protection Act.  Invoices, company reports, payroll, HR and customer lists are all highly confidential and need to be stored, managed and destroyed securely and professionally.  Educating your employees to recognise these different types of company documents and how to manage them will help prevent leaks of this kind occurring.

When you consider that since last April the maximum fine for serious breaches of the Data Security Act was raised to £500,000, you would have thought that any review or advice, especially free, would have been snapped up by companies large and small, however, according to the ICO’s annual report only 19% of businesses in the private sector accepted their offer, while 71% of organisations from the public sector rose to the challenge.

So why the reluctance to agree to an audit?  An ICO Audit or ‘good practice audit’ are designed to help organisations meet their data protection obligations through sharing good practice and making helpful and practical recommendations.  The ICO say that consensual audits are seen as key in proactively working with data controllers to help and educate organisations to meet their data protection obligations.  Out of those organisations who agreed to an audit, 92% of the recommendations which were suggested were acted upon, which for the organisation and the sensitive data they manage can only be a positive move in the right direction.

How important is the safe keeping of paper and electronic records to businesses these days?  And as a consumer, how important is it to you that a company looks after your personal information to a high standard?

I’m guessing (and hoping) that most of you will view both of the above questions with considerable importance. Breaches in Data Protection are big news, so, why is it then that I have seen companies across all manner of industries perform abysmally and sometimes illegally when managing our information?

The answers are rarely simple but through my ARchive Services blog I will attempt to enlighten and amuse you on what we, a professional Records Management company, have seen and heard in the pursuit of blissful Records Management compliance.

We’ve got plenty of storage space onsite!

This was a comment from the owner of a thriving business. The staff working there had a different view of things and invited me to see for myself. I walked into their office and immediately saw a pyramid of cheap stationery boxes collapsing into one another against the back wall. This was in full view of any client that walked through the front door causing headaches (and eye sores!) to the Office Manager.  I was told that there was no order to these boxes and they had no way of knowing where any particular file was.

After explaining that the owner of the business was happy with the current situation because it wasn’t costing them anything (methinks it has cost them several prospective clients who have quickly exited the building after seeing how they ‘look after’ their files) I was given a tour around the other rooms of the building to see the remainder of their archive.  I found files tucked away with the electric meter, boxes in cupboards that were being used for other purposes and to take the biscuit so to speak, a few boxes were even in the kitchen sink.  It was at this point that I realised why I hadn’t been offered a cup of coffee!

All’s well that ends well and the office staff managed to persuade the owner to use our services and are safe in the knowledge that all files and boxes are now traceable by barcode.

The Verdict

The above is only one example and, humour aside; it is genuinely worrying just how many organisations fail to properly look after your personal information.  It seems that an efficient and secure method of filing is not built into the company structure and is often only addressed in response to disaster.

As mentioned earlier, this trend doesn’t discriminate against industry. I’ve come across poor archiving in Education, Legal, Medical and Finance and if I were to name names, I’m sure you’d be shocked. I won’t of course, but the next time you give your personal information to a company, perhaps you’ll ask them exactly how they look after their archive...I would!