What does the law say about shredding confidential waste?
Data protection legislation in its current form, officially came in to being On the 24th October 1995. The European Parliament brought in to being Directive 95/46/EC, commonly referred to as the Data Protection Directive.
UK Data Protection Legislation
As members of the European Union, the UK was obliged to implement this directive. The Data Protection Act 1998 (DPA 1998) was a result of this implementation. The act came in to force initially on 1st March 2000, with some certain provisions implemented later in October 2007.
Now, if you think that these documents are incredibly tedious and boring read, you would be right, THEY ARE!
(You can read the data protection act in full here!)
unfortunately for me, as a professional in the field, data protection legislation is required reading.
This means that I can answer with confidence the question we get asked a lot: “Does the law say I have to shred confidential waste?”
The simple answer is, NO!
At no point do the words shredding or confidential waste appear in either piece of legislation. In fact there is no suggestion of what methods should be used to destroy personal data.
What the Data Protection Act 1998 does say in Principle 7 is:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
For those handling personal data, the ability to demonstrate that technical and organisational measures are in place is key.
If a company suffers and reports a data breach it means it has already happened, therefore action is almost always retrospectively enforced and historic processes and measures reviewed to establish compliance.
If it cannot be shown there is a documented, clear and appropriate system in place, then fines of up to £500,000 could be applied.
Outsourcing the destruction of information baring media to a confidential waste destruction company, ensure that businesses will be able to provide clear evidence of the measures in place at operational and managerial level.
Documents that all good confidential waste destruction companies should provide their customers if they want to ensure the most robust service is in place and being adhered to at all levels include as a minimum but are not limited too:
- Written information destruction policy
- Contract outlining service dates
- Annual collection records to detail activity
- Destruction certificates for all shredding services
- Non-disclosure agreements signed by service drivers handling waste
- Annual destruction facility report (if off-site shredding undertaken)
- Confirmation of staff DBS checking & vetting procedures
- The UK data protection legislation does not specifically mention that shredding is required in order to satisfy statutory obligations.
- The law does require businesses to ensure that the have appropriate measures in place to ensure that personal data is protected.
- If a company is found guilty of a data breach, then large fines can be handed out to businesses that do not have evidence of control measure in place.
The ICO’s website has a fantastic easy(ish) to read guide to the data protection act, which is worth looking at to further understand your obligations.