The Data Protection Act 1998
When it comes to document shredding companies, we are often asked:
- what does the data protection act say about shredding confidential waste?
- does the data protection act state we have to use a shredding company?
Principle 7 of The Data Protection Act 1998 States
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Business who process or control personal data need to ensure that they have the correct measures in place to ensure that data is only used for the means in which it was intended, and is not shared with any other parties.
There is no line in the act that says material must be shredded, nor is there a section that states a shredding company must be employed.
The key part of this principle is the APPROPRIATE TECHNICAL & ORGANISATIONAL MEASURES statement.
By adopting a shredding company to destroy all personal data and confidential waste, having this process documented in a contract of services, with waste transfer notes, destruction certificates and duty of care documentation – including an annual audit of destruction processes. A company ensures that they satisfy this part of the act in full and it would be difficult to argue that all appropriate measures had not been taken.
At The Shred Centre we believe the documentation of the destruction process should be put into a company wide information destruction policy also to demonstrate organisational and managerial measures demonstrate company commitment to protecting and destroying all end of life date through secure shredding.