It's all very well to keep digital backups secure, but are your paper files exposed when no longer actively required?Here's a quick checklist to help you find out if you're exposed to archive storage risks:
Policy & procedures
- Do you have a document retention policy that spells out how long documents should be retained?
- Do you have documented procedures in each department for archiving of documents not actively required?
- Do you have a documented process in place for selecting files for disposal at the end of their life?
- Is there a processing in place for verifying compliance?
- Are the policies and procedures regularly communicated?
- Has a risk assessment been carried out, and subjected to regular review?
- Are records kept of retained documents?
- Would if be easy to locate a document if required to do so, for example to fulfil an operational requirement, Data Protection Act subject access request, or legal order?
- Is it clear who is responsible for documents and for maintaining records?
- Is the archive in a suitable location, not accessible or visible to the public?
- Is access demonstrably restricted to current staff?
- Is access monitored to ensure documents are deposited - do you review access records for unusual trends, for example if one department deposits fewer files than expected?
- Are document retrievals logged to record who has obtained them?
- Are checks carried out on retrieved documents to check if they are still in use or should be returned to the archive?
- Are staff involved in the archiving and storage process trained and vetted?
- If off-site, are documents transported to and from the facility in a secure manner, and are records kept of transfers?
- Do you outsource archive storage? If so:
- Is there a written contract, and is is current?
- Has a due diligence exercise been carried out and references or accreditations verified?
- Does it impose a strong duty of confidentiality, with appropriate penalties?
- Does it state the security provisions the contractor must have in place?
- Are procedures and authorisations agreed and documented for document retrieval?
- Has a site visit been carried out to validate procedures and controls?
End of live disposal
Eventually you will want to dispose of archived documents. Are you exposed to any of the risks of document disposal identified in this article - "Why secure data disposal isn't always secure - and what you can do about it?"