Skip Navigation


Bookmark and ShareMonday June 5, 2017

Customer Misconception: No Need for Written Information Destruction Procedures

Selling Information Disposition by the Book (vol. 8)

By Bob Johnson

There is a good reason Chapter 7: Information Disposition Policies and Procedures is dedicate strictly to advising data controllers on how to create their internal operating manual for destroying obsolete media and information. That reason: it’s required by law that they have them. 
That point is first emphasized on page 14 of Chapter 1: Data Protection Regulations, where it states:
Written Procedures and Employee Training 
HIPAA, GLB, and FACTA require an organization to have written information protection policies and procedures. Again, it is easy to understand the logic. Not only are such written procedures necessary to demonstrate internal operational accountability, without them employee training and guidance is non-existent from a regulatory standpoint. It is clearly unreasonable to represent to authorities that an organization can provide a reasonable level of direction to employee without written procedures. 
In fact, the absence of adequate written policies and employee training are the two most frequently cited reasons for regulatory penalties associated with data security violations. On the other hand, having and implementing such written procedures insulates an organization from the worst consequences of a violation. 
And, while the book includes the actual regulatory language specifying the legal requirement to have written policies and procedures, it also provides examples of what can happen if there is a breach and such written policies are not available. 
Below can be found on page 137, Chapter 7, Information Disposition Policies and Procedures: 
The following excerpt is taken from the press release by the Massachusetts Attorney General in May of 2012, announcing a $750,000 settlement stemming from the improper disposal of protected health information. 
“The allegations against South Shore Hospital in the lawsuit are based on both federal and state law violations, including failing to implement appropriate safeguards, policies, and procedures to protect consumers’ information, failing to have a Business Associate Agreement in place with Archive Data, and failing to properly train its workforce with respect to health data privacy.” 
….phrases like “failing to implement appropriate safeguards, policies, and procedures” and “failing to properly train its workforce” are among the most commonly cited when regulators announce settlements and sanctions related to data protection violations. 
The book establishes beyond any reasonable argument that written policies and procedures are required, that they are easy to create (especially with the help of the book), and that not having such procedures documented results in the highest fines, where as having them (along with training), practically insulates the data controller from suffering a violation or of being found of negligence. 

Get your copy of Information Disposition today >> 

Read the next blog post in this series >>

Comments: 0 | Reply

Submit your Comment

All comments are moderated. Your comment will appear in the order received after being approved.

(comment length available: )

Enter Verification Code:
Captcha Code
Type the characters you see in the picture above.

By submitting a comment, you agree to the terms and conditions governing this blog. Any information, including but not limited to remarks, suggestions, ideas, personal information or other submissions, communicated to NAID through this website is the exclusive property of NAID. Your name will appear along with your comment if/when they appear on the website.

Return to Current Blog