Sensitive Information Paper Document Disposal
Sensitive information is defined in UH Policy E2.214 and includes information like social security number, student records, health information, personal financial information, drivers license numbers, etc. If sensitive UH information is disclosed it may be classified as a breach and require legal action. Breaches cause possible harm to the affected individuals, UH reputation, and legal fees and fines.
The major focus of document disposal is related to digital information disposal such as hard drives, flash drives, CD's, and digital files. However, paper documents with sensitive information tossed in the trash can be retrieved by a dumpster diver and is legal if the dumpster is in a public place. Dumpster diving is the act of sifting through a persons or businesses trash looking for discarded items that can be reused. Dumpster diving does not sound like a desirable activity, but it is a highly effective way for attackers to gather sensitive information that can be used by the attacker for monetary gain.
Dumpster diving is only one example of exposing sensitive informaiton that has been discarded. Sensitive papers left out in the open can be seen and retrieved by attackers. Papers may accidentally be left in a public place, fly out of a vehicle, or be used as scratch paper. In all of these examples you are putting your personal information or your business information at risk.
So what should you do? First of all, limiting and reducing the amount of sensitive information printed will reduce the risk of accidental disclosure. Secondly, documents with sensitive information should be stored in a secure area and accessible by only those with a need to view the information. Documents should be stored in a locked file cabinet, locked storage room, or other secure area. Finally, when it comes time to dispose of the documents they should be shredded prior to disposal. The best method for shredding sensitive information is using a cross-cut shredder that shreds the paper small enough so the data can not be reconstructed. Using a strip-cut shredder is not secure if someone wants to reconstruct the information. For an example of how strip cut documents can be reconstructed see the article on Back Together Again.