It's Not Whether You Shred But How You Shred: Prudent Policies and Practices

Debunking the Myth That Shredding is Bad

Document shredding has recently gone from operational obscurity to headline news. Unfortunately, the sound-bite nature of the media has left many with the impression that shredding is bad. Shredding the right documents, at the right time, and in the appropriate manner is not only an appropriate business practice, in some cases it is required by law.

Build the Foundation

Record destruction policies and practices should be an inherent element of your organization's overall retention program and should cover both active and archival materials. These policies should be set at the corporate - not department - level and be reviewed by legal and compliance professionals. The implementation of these policies should be treated as a consistent process, not an event. The policies will need to keep pace with organization growth and regulatory changes. Furthermore, they need to be consistently and continually supported and enforced throughout the organization.

The Right Documents

The first step to building a record shredding policy is to identify what records your company has and which of those should be classified as confidential. There are two broad categories of confidentiality: personal and corporate.

Confidential personal records include any records that contain personally identifiable information about individual customers or employees and includes such data as social security numbers, dates of birth, bank account information, PINs, passwords, drug prescription information, mothers' maiden names, etc. Any records that contain personal information should be classified as confidential and shredded to protect individuals' privacy and to protect your company from liability.

Confidential corporate records contain trade secrets or competitive information such as pricing strategies, formulas or engineering schematics, intellectual property, or customer lists, for example. Records that contain company-confidential information should be shredded to protect your company's competitive advantage.

While many company documents may be recycled or simply thrown out, all documents that are classified as confidential should be shredded.

The Right Time

Once your records are classified (confidential or non-confidential), you should assign appropriate retention periods according to your company's approved retention schedule. Retention should be applied consistently and, in some cases, the retention period is mandated by regulation. Keeping records too long increases costs and liability. In addition, destroying records too soon can violate retention requirements.

It is critical to know the right time to suspend the shredding process. You have an obligation to stop routine shredding of documents not only upon notification of litigation or pending audit but when you know that such action is on the horizon.

The Appropriate Manner

Confidential documents cannot simply be thrown away or recycled. They should be securely shredded on a timely basis. While the personal under-the-desk shredder has become an increasingly common office appliance, it does not address the security issue. Because these shredders only accept a few pages at a time, busy employees tend to let the piles of to-be-shredded documents accumulate. In some cases, if the piles become cumbersome, they may even end up just throwing the confidential documents in the trash. Another common solution is to establish an in-house shredding center. The problem with this method is that employees handle all of the company's confidential records. This allows other employees to peek into the private lives of their co-workers, or to leak corporate information. An alternative solution, that sufficiently addresses all of the requirements, is to engage a shredding company - a third party with no vested interest in your information - that shreds documents on a pre-determined schedule with industrial-grade shredders.

The Outsourcing Solution

It is not enough, however, to identify confidential documents, implement a retention schedule and hire a shredding company. Your company's shredding processes should be followed consistently and constantly. It only takes one employee to break the chain and put your company's, employees' or customers' confidential information at risk. Educating employees on the policies, enforcing implementation of the process, and auditing for compliance are some of the ways your company can support a successful program. Ensuring that your shredding company offers complete chain-of-custody security is also important. This means that your confidential documents are protected on your premises in locked destruction bins, in transit in secure vehicles, and in the destruction facility.

Conclusion

Document shredding is an important business function that protects customer and employee privacy as well as corporate security. A well-developed shredding program identifies the confidential documents that need to be destroyed, applies a retention schedule that determines when they should be shredded, and develops a well-supported, secure, shredding program.