When it comes time to get rid of old files, whether in electronic or paper format, there are several things to consider to ensure sensitive information does not get into the wrong hands.

First, you need to have a good understanding of what your sensitive information is, whether it is related to a personal customer, non-public financial information, company competitive information or the like. All sensitive information within your organization should be identified and labeled, if possible. Employees should always be aware when they are handling sensitive information.

Next, you should periodically go through your sensitive information and determine a schedule for destruction when it is no longer needed. Some information may have shorter retention periods, such as email, while others may need to be kept much longer, such as customer account records. It is up to each organization to determine a schedule based on their unique needs.

Finally, take the following precautions into consideration when destroying data:

• Delete sensitive information based on the retention schedule — wherever it is, and in any format, electronic as well as physical.
• Computer hard drives and mobile devices should remove all company data. When you delete a file, it’s no longer immediately accessible, but the information can still be re-created.
• Hard drives should be wiped by approved electronic means to ensure that no information can be recovered. This allows them to be re-used or recycled outside of the company.
• Hard drives, CDs/DVDs, and memory devices should be physically destroyed if they will no longer be used. Physical destruction ensures that outside access to your sensitive information cannot occur.
• Paper documents should be shredded or placed in secure bins for destruction by an outside service. Sensitive documents should never be left unattended or disposed with regular trash, where they can be discovered.