Any organisation engaging a contractor to handle data has a duty of care to make all reasonable checks that the contractor (existing or potential) operates within legal and morally acceptable parameters.
This process of due diligence ensures a business’s reputation is not put at risk by a disreputable contractor.
Compliance and Certification
The Data Protection Act 2018 requires all data processors to be registered with the Information Commissioner’s Office (ICO)(Topwood Registration number Z7108387).
A fundamental principle (Principle 7) of the DPA is that data controllers have in place appropriate security measures to prevent data from being accidently or deliberately compromised. The law clearly states that subcontracting document and data destruction to a shredding company does not remove any of the data controller’s legal responsibilities or liabilities.
Consequently data controllers must make periodic checks to ensure their shredding company’s security credentials remain up to date. Some data management companies falsely say, “We comply with all the relevant standards” or paste a few logos onto their website. Data controllers that accept such statements at face value are not undertaking proper due diligence and are ultimately putting their reputation at risk.
Topwood’s reputation for providing first class service levels is defined, delivered and measured through a Quality Management System (QMS). The QMS is independently audited by a UKAS accredited body and complies with the requirements of ISO 9001. The leading industry association for data destruction is the British Security Industry Association (BSIA) which requires members to have ISO 9001. Topwood is a member of the BSIA.
Whether Topwood supplies file storage, document scanning or data shredding services, its success is wholly dependent on providing information security. Topwood operates to an Information Security Management System (ISMS). This ISMS is independently audited to comply with information security ISO 27001. ISO27001 is increasingly seen by compliance, security and procurement managers as the ‘gold standard’.
The following principle standards are incorporated into the scope of Topwood’s ISO27001 certification.
* Topwood Ltd has adopted this standard for a number of years and it will soon be incorporated into the scope of the next ISO 27001 certificate.
Other standards incorporated include BS8418 (CCTV), EN150131 (intruder alarms), EN50133 (access control systems), BS5839 (fire detection and alarm systems) and CPNI (used by government departments and agencies when engaging contractors for the destruction of national assets).
Topwood ensures the safe and responsible handling of confidential waste on behalf of its customers. By operating an Environmental Management System (EMS) based on ISO 14001 Topwood can provide an audit trail that waste is handled and recycled in a legal and sustainable manner.
For example, some data destruction companies still destroy data through incineration but at Topwood we comply with the waste hierarchy regulations which require the mechanical destruction of data. This method of destruction allows for the recovery and recycling of materials. 100% of the paper we shred is recycled into useful paper products.
Our EMS ensures our waste carriers license is kept up to date (Topwood is a registered waste carrier with the Environment Agency Licence Number CB/CN5312ZW) and that all movements are controlled through the use of waste transfer notes. Likewise our T11 exemption allows us to repair, refurbish or dismantle various types of waste electrical and electronic equipment so that WEEE is re-used or dismantled so parts can go for recovery.
Duty of Care – Ensuring a Safe Workplace
Topwood is committed to providing a safe working environment. Topwood has been independently audited and was found to have excellent risk management under the Safecontractor scheme. Certification assures customers that Topwood operates a safe workplace. The term safe workplace is broad but duty of care extends to all persons who come into contract with Topwood’s activity and that the workplace extends to all locations including customers’ offices and depots.
Due diligence checks should ensure contractors have the statutory minimum and any additional cover required. Topwood has the following cover;
- Public liability insurance £5mn in respect of each and every claim
- Employers liability insurance – £10m provided in respect of each and every claim (it is a legal requirement all companies hold)
- Professional Indemnity – £1 million.
To comply with EN15713 all employees are security vetted. Topwood uses a third party vetting firm to security check to BS7858 prior to a person’s employment with Topwood. BS7858 includes Disclosure and Barring Service (DBS) checks and this vetting is repeated every 3 years.
- All staff are required to sign a Confidentiality agreement prior to engagement with Topwood
- Topwood conducts its own due employee due diligence. For example, we carry out quarterly DLVA licence checks
- All staff participate in a training programme which includes topics such as how to handle sensitive information and risk management for a safe workplace etc.
Operation of Vehicles
- All vehicles operate from a registered operating base at SY14 7BY
- Shred trucks are operated and maintained in accordance with the provisions granted in Topwood’s Operator Licence (OC1052569) issued by VOSA
- A fleet insurance policy covers all vehicles and may be downloaded here