What measures are your organisation taking to ensure paper documents with personal or sensitive business data are being securely processed?
With regard to personal data, a key principle of the General Data Protection Regulation (GDPR) is that personal data is processed securely by means of ‘appropriate technical and organisational measures’*.
Documents containing personal data and high value business information can be created across a wide range of departments.
In a global study, commissioned by the Business Performance Innovation Network, 89% of the managers and information workers surveyed believed document security risks are growing in their organisation due to increased connectivity and the proliferation of mobile devices**.
It is more obvious to link the protection of personal and sensitive data with computers and networks, however as the Information Commissioner’s Office explain ‘many information security incidents occur due to the loss, theft or incorrect disposal of physical entities such as equipment, old computers or hard copies of documents’.
So, what are the organisational and technical measures needed to safeguard your confidential paper documents?
In line with GDPR guidance, we’ve compiled some tips and considerations to help your organisation manage confidential documents and confidential waste disposal.
1: Is it Confidential? Create a Culture of ‘Integrity and Confidentiality’
A core principle of the GDPR concerns the ‘integrity and confidentiality’ of personal and sensitive data.
Going back over the basics and raising awareness of the types of data processed in your organisation, may be the first important step to ensuring all employees understand their responsibilities when it comes to protecting the personal and sensitive data of your customers, the business and each other.
a). Documents Containing Personal Data of Staff and Customers – Classify as Confidential? YES
Under GDPR ‘personal data’ means ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
For more information concerning the processing of payment card data and compliance with the PCI-DSS visit the Payment Card Industry Security Standards Council website.
b). Documents Containing Sensitive Data – Classify as Confidential? YES
- Sensitive Personal Data
The GDPR refers to sensitive personal data as “special categories of personal data”. This special category data, which includes an individual's race, politics and genetics, is more sensitive and so needs more protection.
Organisation’s processing special category data, will also need to satisfy a specific condition under Article 9 of the GDPR. Find out more from the ICO website here.
- Sensitive Business Data
Documents which may be considered as commercially sensitive or require additional security measures include:
- Information relating to Intellectual Property
- Office plans, office IDs, internal procedure manuals
- Client contract details and commercial documents including invoices
2: To Print or Not to Print?
As the majority of data is now processed electronically (the security of which will be managed through technical cybersecurity measures), many businesses are negating the security issues associated with confidential paper documentation through the implementation of a NO PRINT rule.
By establishing a ‘No Print’ rule across the organisation, access to a shared printer or photocopier is limited and staff are trained to ask themselves questions before sending the document to print.
- Is this a confidential document?
- Does it contain any personal or sensitive information?
- For what purpose do I require a hard copy?
- What will I do with the paper document once have actioned the associated task?
Introducing this kind of technical measure or alternatives such as the ‘Clear desk and screen’ policy, may seem radical and may take time to embed into the day to day culture, but it will improve your data security by removing some of the risks associated with hard copy documents, while also reducing the costs associated with paper and printing.
3: Secure Storage of Confidential Paper Documents
Where the printing of documents containing confidential information is unavoidable due to legal or industry specific policies and practices, the physical documents (as with electronic data and documents) should be:
'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures'.
Technical measures associated with the security of physical documents containing personal or sensitive information should consider:
- the quality of doors and locks, and the protection of your premises by such means as alarms, security lighting or CCTV;
- how you control access to your premises, and how visitors are supervised;
- securing of non-public, confidential documents
- how you dispose of any paper waste
The retention periods of physical documents held securely on your premises will depend on the nature of the information along with any legal requirements or industry specific policies.
However, with regard to personal data Article 5. 1.e) of the GDPR clearly sets out the principle of ‘storage limitation’, in so far as personal data should only be kept for as long as is necessary to fulfil the purposes for which the data is being processed.
4: Auditing Your Confidential Waste Disposal
Once the purposes of a confidential document have been fulfilled, the document becomes confidential waste.
The aim of this internal audit is to ensure that all physical confidential documents, in all areas of the organisation are disposed of securely with the appropriate technical measures in place to protect against unauthorised or unlawful processing and a data breach.
The audit should consider:
a) Where confidential documents are created.
Establish all areas / departments where physical documents containing personal and / or sensitive individual or business data may occur.
A map of the business premises may be a useful but ‘confidential’ tool to help you. Locate any individual or shared printers and photocopiers and map against your existing general waste, recycling and confidential waste disposal points.
- Are there any new risk areas?
- Is there the potential for confidential waste to be held or disposed of in an unsecure place such as in tray or the wrong container?
b) The quantity of confidential documents created in any given period e.g. day, week and so on.
By understanding the volume of confidential waste and the frequency of disposal, you can ensure the appropriate collection and destruction measures are in place to reduce risks to data security.
- Are current confidential waste containers large enough?
- When are documents collected for destruction?
- Do you provide shredders and shredding facilities on site that meet the right levels of security for the confidential waste you generate? See Tip 6.
c) Where and how confidential paper waste is currently disposed for collection before destruction.
Your current provisions may adequately fulfil your data security requirements, however it is worth revisiting the following:
- If existing bins are underused is it time to improve staff communication and training?
- Could the location of the containers be improved to be more accessible?
- Are existing containers lockable and locked?
d) Who has access to your confidential waste once it is disposed?
Once confidential documents are disposed of inside a secure container...
- Who is responsible for emptying them and transporting to your shredding facilities or secure destruction bins?
- What data protection training have they received?
- What security checks do they follow and where are confidential bin keys stored?
If you would like free, impartial help and advice with your waste management audit please talk to us or register today.
5: Selecting the Right Confidential Waste Bin
Performing an internal audit will help you identify the answers you need, such as the quantity and capacity of the bins you require. Key considerations include:
The most important feature of a confidential paper bin is the level of security it provides.
It is essential to dispose of the documents separately in a designated container, away from any other non-confidential paper or other waste and they must be held securely and out of view.
Therefore strong, lockable bins with a solid enclosed lid and thinly slotted aperture are an ideal solution.
In high risk areas, consider additional technical measures such as fixing the bins to the ground or wall or placing them out of sight inside desk or office storage units. This may be appropriate for smaller confidential waste solutions.
The volume of confidential waste generated may vary from one department to the next and the frequency of collections will also affect the capacity that’s required.
Floor space is another factor to consider, as a higher capacity bin will generally have a larger footprint.
Therefore, you may require a mix of co-ordinating confidential waste bins with different capacities depending on volume of waste, collection schedules and available space.
The style of the container may seem to be the least important consideration, however, the professional, smart appearance of your confidential waste bin is vital in impressing the message about the seriousness of data protection in your organisation and how this is perceived by employees, customers and visitors.
With the addition of recognisable graphics and labelling too, employees are more likely to use a purposely designed container such as the Nexus® 30, Nexus® 50 or Nexus® 100 Confidential Waste Bins pictured.
To encourage adherence and appropriate usage, the bins should be sited in accessible office locations and areas highlighted in the audit.
It may be better to place a confidential waste bin away from other non-confidential paper recycling bins to avoid confusion and the risk of incorrect disposal.
Create a confidentiality zone and increase awareness with posters and messaging, giving employees tips and helpful reminders. This will help reinforce processes which may be new to them. The ICO created a helpful toolkit designed to help businesses communicate the importance of data privacy. Check out the Think Privacy pdf here.
For more ideas take a look at the Glasdon range of lockable confidential waste bins.
6: Confidential Paper Waste Collection and Shredding
All confidential waste must be disposed of, collected and then destroyed separately from any other non-confidential document or waste stream, before it can be recycled.
Once the contents of your confidential waste bins have been collected they should be sealed in security bags prior to shredding or collection by a waste contractor.
Confidential documents are required to be shredded in accordance with the European standard of paper waste security DIN 32757. The 6 levels (DIN 1 – 6) of this standard set the minimum permitted shredding sizes according to the nature of the data on the document.
Shredder manufacturers offer solutions for businesses with the recommended shredding security levels of DIN 3 which is the minimum level for highly personal documents upwards to DIN 6 offering the highest security level.
Higher levels of security can also only be attained with a cross cut or micro cut shredder.***
For these reasons many businesses will employ a reputable waste contractor to manage the bulk destruction of their confidential waste.
When choosing a company to shred your documents, consider whether you want your waste securely destroyed onsite or offsite.
Some commercial waste contractors also offer confidential waste collection and disposal alongside their other waste collection services such as general waste, green waste and hazardous waste.
Otherwise a Confidential Waste Disposal service works solely on the efficient, compliant shredding of sensitive and confidential documents.
Benefits of Onsite Waste Destruction:
- Enables you to view the whole process onsite.
- A carefully vetted and CRB-checked professional arrives at location.
- Your sealed documents will be loaded into a shredder with limited human interference.
- You are issued with a Certificate of Destruction and a Waste Transfer Note, so your business can ensure that its obligations have been fulfilled.
- Shredded waste will then be sent off for recycling.
Benefits of Offsite Waste Destruction:
- A trained professional will arrive and collect your sealed documents.
- They load them into a locked container.
- The waste is then taken back to their headquarters in a tracked van.
- The documents are shredded, baled, and sent off for recycling.
- Your business will be issued with a Certificate of Destruction and a Waste Transfer Notice to show that all obligations have been fulfilled.
** Getting Control of Document Flow: Exploring Exposure and Risk In Document-Related Data Breaches - http://www.bpinetwork.org/