IAPP-GDPR Web Banners-300x250-FINAL

By Angelique Carson, CIPP/US

You might call Ken Clupp a privacy professional by proxy. While he doesn’t draft privacy policies or model contracts, he’s certainly on the defensive line when it comes to protecting data. How does he protect it? He makes sure the important stuff is shredded into such tiny pieces it couldn’t ever be put back together again.

Clupp works for the Royal Canadian Mounted Police (RCMP) as its lead physical and technical security equipment evaluation engineer. Shorthand? He runs a shredder-testing program, amongst many other things. He’s tasked with ensuring that sensitive information stays safe, based on standards developed by the federal government.

“Canada is one of the few jurisdictions in the world that has a formal classifications and standards program for protecting sensitive information that’s not classified,” Clupp said. “It’s unique.”

If you give people an opportunity to do something bad, sooner or later some of them will.

—Ken Clupp, Royal Canadian Mounted Police

Privacy wasn’t the initial purpose for Canada’s development of shredding standards. In fact, the standards—which live under the Treasury Board of Canada policy and are not legally enforceable—have existed for decades and grew out of Cold War concerns in the 1950s and ’60s that Canada’s adversaries would gain access to classified information. In the 1980s, when Clupp says privacy concerns began to grow, the government developed standards for storage, transport, transmittal and secure destruction of “Protected” (non-national interest) information. 

The federal government developed nomenclature in order to classify sensitive personal, private and business information into three “Protected” categories.

Protected A: Its compromise could result in “limited” injury.

Protected B: Its compromise could result in “grave injury” such as “loss of reputation or competitive advantage.”

And Protected C: Compromise of even a very limited amount could result in “exceptionally grave injury,” such as loss of life.

Based on those designations, data must be destroyed after its lifecycle to RCMP Security Shredding Standards ranging from 2mm x 15mm particles—for data classified Protected B, for example—to tiny 1mm x 14.3mm particles for data classified “Top Secret.” (See graph for details on dimensions.)

While data designations sometimes vary depending on the originator’s discretion, Clupp said privacy concerns are starting to codify things.

“This is of course where it sometimes creates a bit of a difficulty for us because we know there is some variability in perceived sensitivity,” Clupp said. “Some departments will assign some types of information more readily than others to a certain level. It depends on your appreciation for risk.”

Input from privacy pros—and legislation—on which level of sensitivity to give to the data is becoming the norm, Clupp said: “If I’m designing a database or a new form that is to be used by thousands and thousands of people, I would probably have the database’s designation reviewed by a privacy pro who would help me determine what level should be assigned to it.”

Clupp said lower government and the private sector—banks, in particular—have tried at times to adopt the RCMP Information Destruction Equipment Evaluation program either as a whole or in bits and pieces. However, organizations are somewhat prevented from wholesale adoption of Canada’s shredding standards because most RCMP standards and approved equipment lists are restricted to departments and agencies of the federal government.

Clupp, who does quite a bit of official government consulting work, said that while it’s common for organizations to outsource destruction, he encourages in-house shredding as much as possible because it’s far more secure.

“My general guidance is that, where practical, you should immediately destroy all sensitive information in-house using an appropriate high-security, e.g., RCMP-approved, shredder to minimize handling,” Clupp said. “On the other hand, if you are routinely producing very large amounts of sensitive information, such as financial or medical information, then you may find it more practical to use a service provider.”

If outsourcing, ensuring the data is handled properly is essential, Clupp said. A representative from the organization should always accompany the third-party shredder to watch that the material collected goes into the shredder. 

“Outsourcing is an area where information can easily be compromised,” Clupp said. “And it’s important to realize that a basic security check, a criminal record check, does not normally suffice … because organized crime has seen it as a way to get information, and they’ve been known to plant people. If you give people an opportunity to do something bad, sooner or later some of them will.”

That type of compromise is rare in Canada, however, Clupp said, adding that the majority of the time sensitive information is compromised, it is due to employees intentionally or unintentionally not following departmental security procedures.

Read More by Angelique Carson:
How Should Your Firm Respond to the NSA Fallout?
Survey: Users More Afraid of Peers than Gov’t When It Comes to Data Access
Consumers: Forget Screen Size, Cameras; Sell Us Privacy
PCLOB Finds a Director, Looks Toward Action


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»