Standards governing the secure destruction of documents and data
Shredding is the safest method of destroying documents but the level of security is determined by the technical specification of the shredder to produce the shred outcome.
Click on the icon to download our PDF
'How secure is shredding paper?' was all about the shred outcome - size, shape and mix of the particles. The specification of the shredding machine determines the shred outcome (the size, shape and mix of the paper shreds). There are, however, other factors that influence the security of the shredding chain of custody.
In the UK, the shredding standard EN15713 (previously known as BS8470) is promoted by the British Security Industry Association (BSIA) as the benchmark standard for firms providing confidential shredding services. Acceptance to the BSIA's information destruction section requires members to have EN15713 incorporated into their UKAS accredited ISO9001 quality management system - click here to download the BSIA's guide to EN15713.
EN15713 is seen, by some firms in the industry, as the entry threshold to operating a security shredding company. Compliance with it requires little more than a tick box approach, after which it can be filed away and forgotten about!
EN15713 requires that, "all staff employed in the secure destruction process are security-screened in accordance to BS7858. Prior to employment all employees should sign a Deed of Confidentiality".
As data security becomes even more of a business priority, compliance managers and security officers need evermore assurance of their suppliers' ability to handle data on their behalf. The tick box approach to comply with EN15713 is no longer deemed sufficient.
As a consequence, leading shredding firms are adopting other, more stringent measures and controls to give greater assurances.
The biggest cause of a security breach is human failure - either through intent or negligence. Consequently, professional shredding firms, like Topwood, are adopting the new information security standard ISO27001:2013.
Data protection law clearly states data controllers are liable for their data even when its destruction is subcontracted to a data shredding company so it is understandable that compliance managers and security chiefs need to engage with shredding firms who have more than a tick box security standard.
What ISO27001 Requires:
Having all employees screened to BS7858 with signed confidentiality agreements is the standard requirement of EN15713. ISO27001 requires a far more thorough approach with employees. It stipulates employees should display clearly visible photo ID and wear corporate uniform. This not only gives the customer greater assurance but it reminds employees everyday of their key role in preventing data breaches.
ISO27001 requires employers to:
- take staff checks on a regular basis during employment and to take measures to limit risks when employment is terminated.
- provide structured, relevant training to employees to encourages them to consider the security risks at every stage of their work. Staff handling data recognise that the secure handling of customers' information is the number one priority - security becomes second nature. That is the way to reduce human error.
- train staff in the secure handling of confidential information and keep them up to date with data legislation changes.
- ensure staff are well motivated and fairly rewarded. Motivated and rewarded staff are more committed and less likely to make mistakes or commit any fraudulent activity.
IT Systems Security:
EN15713 does not stipulate how a shredding company controls their IT systems and their digital interface. ISO27001, on the other hand, requires detailed risk analysis of IT systems and software for data loss. Topwood rely on systems technology to provide secure chain of custody. At the point of transfer customers sign an electronic PDA which transmits e-receipt. This email has a secure link to securely download Certificate of Destruction. All systems and software including vehicle tracking equipment needs to be robustly tested as part of ISO27001.
Benefits of ISO27001:
In the case of subcontracting, a firm with ISO27001 will have the experience and expertise to audit any supplier they intend to subcontract work to. Indeed, any supplier to an ISO27001 accredited firm needs to show they have suitable security measures in place.
A high class shredding firm should be able to help their customers with data security best practice and help develop a culture of security awareness such as developing and implementing shred-all and clear desk policies
- all key to preventing security breaches.
Whilst every care is taken to prevent data breaches the possibility can never be removed. ISO27001 requires shredding companies to consider what action to take in the event of an information security breach, and at what point to inform the Information Commissioners' Office (ICO).
For example: an act of god may result in a data breach and a data processor (shredding company) is required to have contingency plans to limit the impact of the breach. A shredding company with the highest standards will have documented procedures to inform the ICO if required.