Privacy Advisor

He Protects the Data ... By Destroying It

September 20, 2013

By Angelique Carson, CIPP/US

You might call Ken Clupp a privacy professional by proxy. While he doesn’t draft privacy policies or model contracts, he’s certainly on the defensive line when it comes to protecting data. How does he protect it? He makes sure the important stuff is shredded into such tiny pieces it couldn’t ever be put back together again.

Clupp works for the Royal Canadian Mounted Police (RCMP) as its lead physical and technical security equipment evaluation engineer. Shorthand? He runs a shredder-testing program, amongst many other things. He’s tasked with ensuring that sensitive information stays safe, based on standards developed by the federal government.

“Canada is one of the few jurisdictions in the world that has a formal classifications and standards program for protecting sensitive information that’s not classified,” Clupp said. “It’s unique.”

If you give people an opportunity to do something bad, sooner or later some of them will.
—Ken Clupp, Royal Canadian Mounted Police

Privacy wasn’t the initial purpose for Canada’s development of shredding standards. In fact, the standards—which live under the Treasury Board of Canada policy and are not legally enforceable—have existed for decades and grew out of Cold War concerns in the 1950s and ’60s that Canada’s adversaries would gain access to classified information. In the 1980s, when Clupp says privacy concerns began to grow, the government developed standards for storage, transport, transmittal and secure destruction of “Protected” (non-national interest) information. 

The federal government developed nomenclature in order to classify sensitive personal, private and business information into three “Protected” categories.

Protected A: Its compromise could result in “limited” injury.

Protected B: Its compromise could result in “grave injury” such as “loss of reputation or competitive advantage.”

And Protected C: Compromise of even a very limited amount could result in “exceptionally grave injury,” such as loss of life.

Based on those designations, data must be destroyed after its lifecycle to RCMP Security Shredding Standards ranging from 2mm x 15mm particles—for data classified Protected B, for example—to tiny 1mm x 14.3mm particles for data classified “Top Secret.” (See graph for details on dimensions.)

While data designations sometimes vary depending on the originator’s discretion, Clupp said privacy concerns are starting to codify things.

“This is of course where it sometimes creates a bit of a difficulty for us because we know there is some variability in perceived sensitivity,” Clupp said. “Some departments will assign some types of information more readily than others to a certain level. It depends on your appreciation for risk.”

Input from privacy pros—and legislation—on which level of sensitivity to give to the data is becoming the norm, Clupp said: “If I’m designing a database or a new form that is to be used by thousands and thousands of people, I would probably have the database’s designation reviewed by a privacy pro who would help me determine what level should be assigned to it.”

Clupp said lower government and the private sector—banks, in particular—have tried at times to adopt the RCMP Information Destruction Equipment Evaluation program either as a whole or in bits and pieces. However, organizations are somewhat prevented from wholesale adoption of Canada’s shredding standards because most RCMP standards and approved equipment lists are restricted to departments and agencies of the federal government.

Clupp, who does quite a bit of official government consulting work, said that while it’s common for organizations to outsource destruction, he encourages in-house shredding as much as possible because it’s far more secure.

“My general guidance is that, where practical, you should immediately destroy all sensitive information in-house using an appropriate high-security, e.g., RCMP-approved, shredder to minimize handling,” Clupp said. “On the other hand, if you are routinely producing very large amounts of sensitive information, such as financial or medical information, then you may find it more practical to use a service provider.”

If outsourcing, ensuring the data is handled properly is essential, Clupp said. A representative from the organization should always accompany the third-party shredder to watch that the material collected goes into the shredder. 

“Outsourcing is an area where information can easily be compromised,” Clupp said. “And it’s important to realize that a basic security check, a criminal record check, does not normally suffice … because organized crime has seen it as a way to get information, and they’ve been known to plant people. If you give people an opportunity to do something bad, sooner or later some of them will.”

That type of compromise is rare in Canada, however, Clupp said, adding that the majority of the time sensitive information is compromised, it is due to employees intentionally or unintentionally not following departmental security procedures.

Read More by Angelique Carson:
How Should Your Firm Respond to the NSA Fallout?
Survey: Users More Afraid of Peers than Gov’t When It Comes to Data Access
Consumers: Forget Screen Size, Cameras; Sell Us Privacy
PCLOB Finds a Director, Looks Toward Action