Some recent research carried out by the British Security Industry Association (BSIA) revealed that about 1 in 5 organizations have suffered serious data fraud (see http://www.bsia.co.uk/P3YAB8623031).  The loss of data from computer hard drives accounted for around half of these incidents and this emphasizes that the safe disposal of data is a critical part of the overall management of the lifecycle of IT equipment.  Indeed, what constitutes IT equipment needs to be kept under review as more and more office equipment becomes more sophisticated.  So disposal of the printers and the office photocopier may fall under these considerations too (for instance, see http://goo.gl/9gX3F).

The BSIA further point out that the Information Commissioner now has enhanced powers to impose fines for breaches of the Data Protection Act, with a potential fine of £500,000 for such incidents.  This would be an additional cost to the reputational damage to any organization that is found to have treated data in a cavalier fashion, and the diversion of management time that must follow in order to deal with the issue.

Standards exist which encapsulate good practice, which if implemented provide some assurance that such incidents will not occur; and if they do then your organization may have some protection if it has arisen from an isolated case of defined procedures not being followed.  In particular BS EN 15713 Secure destruction of confidential material: Code of Practice available provides good practice in this area. As a European standard it is available in French and German too, and can be obtained from the BSI (see http://goo.gl/e7qUs).