Your responsibilities

One data breach incident provided an example of how your responsibility to protect personal information in your care remains a duty until you securely dispose of that information.

All employers receive applications for jobs. When these were on paper, the task of getting rid of the ones that you did not want was obvious. The pile of paper sat there as a constant reminder. With the move to digital files, that prompt to action is no longer so obvious, so applications can easily be kept for longer than you intend. And that can lead to other problems.

A health organisation gave a zipped folder of files to a contractor. When the contractor opened the folder, they found a sub-folder of three-year-old job applications. As these were not relevant to the task, the contractor deleted that sub-folder and notified the agency.

The organisation realised the sub-folder of job applications had been included because it was misnamed. Giving your documents clear, meaningful and distinct names will help you spot inconsistencies and gives you a chance to catch and correct.

The organisation also realised they had kept these job applications for three years despite their policy of disposing of unsuccessful applications after one year. They searched for any other old job applications and deleted those they found; and reviewed their practices to ensure that they would adhere to their policy in future.

Securely disposing of personal information that you no longer require is the most effective method of ensuring that information is not misused or exposed in a breach. This benefits not just the individuals whose information you hold, but also your agency, by minimising the size of any breach that may occur (and therefore the costs of responding to the breach). It also avoids the question that will otherwise be asked of why you still retained the information.