A workplace with lockable containers for staff to deposit unwanted sensitive data is essential when taking measures to preventing data security breach. The use of confidential waste bins and consoles is a simple measure that data controllers can take to comply with Data Protection Act 2018 (incorporating GDPR). Legislation requires data protection officers (DPOs) to take all technical and organisational measures to minimise the risk of a lapse in data security.
Once the material is secured in a lockable shredding bin it is safe until a professional shredding operator destroys all the information as part of a scheduled regular shredding service.
Without shredding containers like consoles and wheelie bins, unwanted information can be left unsecured around the workplace. Containers mean there is no excuse for employees leaving personal data exposed to prying eyes on desk tops and in unsecured drawers. Astonishingly many organisations still rely on their own staff to shred their own unwanted information in small office shredders but for many reasons this is not a secure waste stream and does not eliminate the risk of data being left exposed to prying eyes. Where workplaces do not have a simple channel for the secure disposal of confidential waste means sensitive waste is just put in the general waste!
With modern working trends such as ‘hot-desking’ more and more workplaces are adopting shred all policies and enforcing clear desk best practices. To effectively enforce such policies DPOs must provide a simple and secure channel for the easy disposal of unwanted sensitive data. From the moment sensitive information is no longer required there should be the facility to dispose of it. Once deposited into a locked shredding bin or console the data enters the first link in the chain of custody.
To maintain the strength of the link it is essential that the containers cannot be accessed until a shredding contractor empties the contents and shreds it on-site. The technical and organisational measures required to ensure the containers are secure that need to be evaluated include:
Locks should be robust enough so it is not possible to force them with screwdrivers and other simple tools. The use of triangular style locks - which require a standard utility key (as seen on the left) on wheelie bins only offer very limited security as keys for these locks are universal.
Using a triangular utility lock offers low security as the lock can be tampered with. A robust unique key lock provides the best security.
The shredding contractor’s security vetted staff will use keys in accordance with the contractors’ key control policy. A lot of customers ask if they can have a key(s) so the container can be opened in the event an employee needing to retrieve papers. The agreement between the data controller (customer) and Topwood should detail who is permitted to be key holders. Topwood will sign over keys to the customer according to the contract. If the key is reported missing to Topwood there is a trace as to where it came from. Topwood’s keys are clearly marked and have a unique barcoded ID which means we record who signed for which key. Each key is signed over to customers and its reference number recorded on a database for traceability. Once signed over to the customer it is their responsibility to ensure it is managed as part of the customers’ key control policy.
Where it is possible that the security of the bin is compromised, for example the container is damaged or is full which means papers can be retrieved, users need contact details so the matter can be resolved with minimal risk of a security breach. Consoles should provide a service point that can resolve any data security hazards. Over filled consoles pose a risk as papers could be pulled out!
The citing of containers is critical when assessing data security. Shredding containers located in offices with CCTV and access control are at less risk to unauthorised access than say a wheelie bin in a shared user corridor. Consideration needs to be given to the risk that a wheelie bin is mobile and could be removed from site. The location around each bin should be shown as a designated area so if the container is missing the alarm can be raised. Each shredding container has a unique barcode ID.
Topwood supplies every container with a unique ID which is marked up on a site floor plan. Each time Topwood visit the consoles its barcoded ID is scanned. This confirms all consoles are located in the correct locations and provides the customer with an audit trial of authorised openings.
The most important factor when providing a secure office is ensuring staff use the secure confidential waste bins and enforcing unwanted papers and files are securely disposed of. Staff should always be aware, through training, of the risks and consequences of a data breach and if something is amiss it is their responsibility to report to the DPO.
There are many links in the chain of custody and by risk assessing each link in detail will minimise a data breach and ensure the organisation has taken all reasonable technical and operational requirements to protect against a data breach.