Shredding Case Studies

The partner in a medical practice had seen a story on A Current Affair where they were chasing around the owners of a medical practice who had misplaced patient files. He didn’t want this to happen to his business.

He had seen the compacter truck arrive at his Practice and he had presumed that all the confidential documents and patient files were being destroyed immediately. He asked the driver what happens to the documents. He was surprised to learn that the documents weren’t destroyed on pick up but just compacted into the truck. They were then taken to a recycling centre to be sorted by hand into various grades e.g. white paper, coloured paper, plastic and steel removed etc., before being shredded. The company does this to maximise the sale prices of the shredded paper to paper mills.

This business now uses the Shred On Site mobile destruction service where all confidential documents (and staples, paper clips, paper fasteners, bulldog clips, spiral bound notebooks, hard back diaries, manila folders, lateral files etc.) are destroyed at the time of pick up.

An accounting firm had invested in a large shredding machine but the documents that needed to be shredded were always piling up next to the shredder; everyone was too busy to put the documents through themselves. Every now and again when the pile got too big someone would tell one of the junior administration staff members to take out all the staples, paper clips, remove the plastic etc. and start shredding. One of the partners noticed how this person was reading through the documents while waiting for each lot to be shredded. When that person went to answer the phone he checked out the documents being enthusiastically read and found they were the salaries of all staff members and notes from the recent performance reviews of all staff members.

This business owner came into work one morning and saw that the recycling bin had been knocked over in the back lane over the weekend. There were papers blowing down the street and lying in the water in the gutter. As he got closer he realised that all the documents belonged to his business.

His bookkeeper, who was doing the right thing and recycling old documents from his business, had put all the company’s old bank statements, tax returns and other financial information (e.g. profit and loss and balance sheet reports) in the recycling bin. The owner spent the next half an hour going down the street picking them all up.

He ordered a locked security bin from Shred On Site knowing it would stay inside the business until pick up when they would then be shredded on site giving him greater peace of mind.

A builder received a call from a Federal Government Department who was contacting all builders that had been involved in a recent tender for a project where security was vital. The person calling wanted to know what the company did with the building plans after they submitted their tender.

“We put them in the recycling bin of course, we try and recycle everything.”

The real reason behind the call was that they were trying to work out how children at the local kindergarten managed to get hold of such important plans to be practising their colouring in.
The builder has now implemented a ‘Shred-all’ policy for all documents and plans for every future tender. Three security bins are now set up around the business and shredding occurs on site every two weeks; then the paper is recycled.

A small marketing company has used the new Privacy Act to keep its large contracts and win some new ones. The company has turnover of less than $3m and is not considered an APP Entity under the new Privacy Act.

However many of their clients are APP Entities and have written new Privacy Policies. One of the important points all APP Entities need to consider is that they are responsible for personal information from creation to destruction. Each App Entity must do their due diligence on every supplier to ensure that any information they pass on to them is protected whether electronic or in paper form (e.g. print outs of reports or emails).

This company has set up a ‘shred-all’ policy and now have a Shred On Site security bin with a set monthly shredding program. They have also written a Privacy Policy to meet the standards of the Privacy Act and promoted this back to all existing clients and well as including it as a selling point in all new proposals. What they are saying to clients is ‘your information is safe with us!’

More and more even smaller businesses, even though they are not APP Entities, are expected to also comply with relevant parts of the Privacy Act. If they don’t, then the larger companies that do have to comply won’t deal with them because they are a potential risk.

In 2009, the Privacy Commissioner investigated a private medical centre following reports that a number of medical documents, including patients’ prescriptions and pathology results, were found scattered in a public park adjacent to the centre. The name of the centre was visible on some of the documents as were patients’ names, addresses and phone numbers.
The medical centre informed the Commissioner that a lock on a medical waste bin, kept outside at the rear of the centre, had been tampered with and the contents of the bin thrown around an adjacent public park.

Having regard to the sensitivity of the information held by the medical centre, the Commissioner and the centre devised a number of steps that the centre could take to ensure that information was kept securely:

• The medical centre sought council approval to have secure fencing installed around the premises to reduce the risk of break-ins and vandalism
• It moved the secure medical waste bin inside the secured premises so that it could not be tampered with
• The bin was fitted with a new secure lock to which the medical centre manager held the key.

The medical centre developed policies and procedures for the secure destruction of personal information and trained medical and administrative staff in the proper destruction of both medical waste and medical documents.

The medical centre instructed its staff that medical documentation was not to be left with general medical waste for collection.

The centre obtained a shredder so that medical documents that were no longer needed could be securely destroyed on site.

(Case Study from the Guide to Information Security on the Office of The Australian Information Commissioner – April 2013).