Customer Misconception: No Need for Written Information Destruction Procedures – Selling Information Disposition by the Book (vol. 8)

June 5, 2017

By Bob Johnson
There is a good reason Chapter 7: Information Disposition Policies and Procedures is dedicate strictly to advising data controllers on how to create their internal operating manual for destroying obsolete media and information. That reason: it’s required by law that they have them.

That point is first emphasized on page 14 of Chapter 1: Data Protection Regulations, where it states:

Written Procedures and Employee Training 

HIPAA, GLB, and FACTA require an organization to have written information protection policies and procedures. Again, it is easy to understand the logic. Not only are such written procedures necessary to demonstrate internal operational accountability, without them employee training and guidance is non-existent from a regulatory standpoint. It is clearly unreasonable to represent to authorities that an organization can provide a reasonable level of direction to employee without written procedures.

In fact, the absence of adequate written policies and employee training are the two most frequently cited reasons for regulatory penalties associated with data security violations. On the other hand, having and implementing such written procedures insulates an organization from the worst consequences of a violation.

And, while the book includes the actual regulatory language specifying the legal requirement to have written policies and procedures, it also provides examples of what can happen if there is a breach and such written policies are not available.

Below can be found on page 137, Chapter 7, Information Disposition Policies and Procedures:

The following excerpt is taken from the press release by the Massachusetts Attorney General in May of 2012, announcing a $750,000 settlement stemming from the improper disposal of protected health information.

“The allegations against South Shore Hospital in the lawsuit are based on both federal and state law violations, including failing to implement appropriate safeguards, policies, and procedures to protect consumers’ information, failing to have a Business Associate Agreement in place with Archive Data, and failing to properly train its workforce with respect to health data privacy.”

….phrases like “failing to implement appropriate safeguards, policies, and procedures” and “failing to properly train its workforce” are among the most commonly cited when regulators announce settlements and sanctions related to data protection violations.

The book establishes beyond any reasonable argument that written policies and procedures are required, that they are easy to create (especially with the help of the book), and that not having such procedures documented results in the highest fines, where as having them (along with training), practically insulates the data controller from suffering a violation or of being found of negligence.
Get your copy of Information Disposition today >> 

Read the next blog post in this series >>