Document Security, retention and distruction - what are your best practices for that "good old paper" file?

Security practices and government regulation make no distinction about the medium. When one designs information security policies, they should be designed around the data, not the medium. Health information, for example, requires the same policy, whether data is electronic, on paper, or carved on stone tablets.

Shredding is better than just tossing documents in the trash or recycling, but shredded documents can be reconsituted, given enough patience.

For paper records, a good practice is to use a service that provides secure storage of all data and/or secure destruction of paper. The latter is usually accomplished by placing locked collection containers on-site; a truck comes to collect them regularly or when the bins are full.

Note that good security practices require you to perform a security audit of a firm providing this service, just as you would a vendor providing electronic information storage. This could be as simple as a questionnaire or as elaborate as visits to their site and riding in their trucks: the effort should reflect the sensitivity of the data.

Finally, the most important element in all security practices is employee training. Most breaches happen because people are careless, not because of deliberate theft. Annual mandatory training is a good practice.

Hope this helps.