BOLI: Plan to shred sensitive information

BOLI: Plan to shred sensitive information

By the Oregon Bureau of Labor & Industries
6/7/2005 – QUESTION: I know about those “Dumpster divers” who go into your trash and steal personal information such as phone numbers, e-mail addresses, etc. For that reason, we do our best to obliterate any such personal information about our employees before we dispose of the documents in the trash or recycling bin. But I’ve heard that there’s a new law that actually requires me to do this. Is that true?

ANSWER: Yes. In this age of identity theft, responsible employers like you are already careful about protecting employees’ personal information. But a new regulation, referred to as the Disposal Rule, enacted by the Federal Trade Commission, now makes it mandatory.

This rule is effective June 1, 2005, and is the result of the passage of the federal Fair and Accurate Credit Transactions Act, an amendment to the Fair Credit Reporting Act. FACTA became law in December 2003. Its purpose is to reduce the risk of consumer fraud and identity theft.

This particular disposal rule furthers the purpose of FACTA by requiring that any person who maintains or otherwise possesses “consumer information” for a business purpose must destroy it properly by taking “reasonable measures” to protect against unauthorized access to or use of the information.

“Consumer information” is broadly defined to include “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records.” It does not include information that does not identify individuals such as aggregate data. It also does not include payroll records or credit card receipts.

As an employer, you may use consumer reports when you hire new employees and when you evaluate employees for promotion, reassignment, and retention — as long as you comply with the Fair Credit Reporting Act. Sections 604, 606, and 615 of the FCRA spell out your responsibilities when using consumer reports for employment purposes.

A “consumer report” is any “written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor” in a consumer’s eligibility for credit or insurance or for employment purposes. It also includes criminal history reports and driving records.

“Reasonable measures” include such actions as burning, pulverizing or shredding of papers containing this information. The purpose, of course, is to obliterate personally identifying information such as telephone numbers, e-mail addresses, physical addresses, Social Security numbers and driver’s license numbers.

Employers should take steps to either train their employees about proper disposal measures, or to hire an outside entity to perform this task for them. You will then have the satisfaction of knowing both that you are complying with the law, and that the dumpster divers will surface with nothing but garbage in their hands.

More information about this rule is available online. Go to and

For more information for employers on permissible uses of consumer reports for employment purposes, go to

paper shredding services