Small and mid-sized businesses rely on The Self-Service Shredder to help assure compliance with HIPAA and FACTA document destruction requirements. Based in Colorado Springs, the woman-owned and -operated company offers The Self-Service Shredder with multiple options, and through purchase and lease plans. Operation: Data Destruction Simon Stammers, sales director at document capture company and authorised AnyDoc reseller Formscan, said that while the law laid down strict rules for businesses on how long they should store certain information, there were only guidelines for disposing of data. "This policy has to be driven by the board of directors and it is down to an organisation to develop its own policy for this," he said. HM Revenue and Customs (HMRC) requires all businesses to keep invoices and records of commercial transaction for seven years, but no recommendations have been given for other records, such as HR documents or pensions information. The lack of retention guidance also leaves businesses at risk of hanging onto time-expired data for fear of deleting it too early. Stammers said that the Data Protection Act was unclear about whether data should be destroyed or not, advising businesses to satisfy the regulator but also take the approach that was commercially right for each set of documents. Security of personal information - a guide for SMEs In the last 12 months a number of high profile breaches of data security have been reported. For example, documents from government departments and financial institutions have been found dumped in public places, nine NHS trusts have admitted losing patient records covering hundreds of thousands of adults and numerous laptop computers containing personal information have been stolen or left in public places. One of the most high profile public sector breaches of data security was committed by HMRC who lost child benefit data containing the names, addresses, dates of birth, national insurance numbers and where relevant bank details of 25 million people. The missing discs have never been found. These data security lapses are not restricted to the public sector. HSBC admitted losing a disc with the details of 370,000 customers and although the data was password protected it had not been encrypted. paper shredding machines