Official Changes in the Destruction of Sensitive Data

Mark Harper

Mark Harper

Recent updates made by the Centre for the Protection of National Infrastructure (CPNI) raise a number of questions over the effectiveness of third party document shredding services, writes Mark Harper. With the General Data Protection Regulation (GDPR) mandating the destruction of documents containing personal information, is it time for organisations to take responsibility before it’s too late?

In November last year, the CPNI released a definitive statement on the secure destruction of sensitive information and assets. In short, the statement declares that mobile paper destruction and waste-to-energy incineration (excluding DSTL) service providers are only accredited to destroy classified material to the lowest ‘Official’ standard. This updates the previous guidelines set by the CPNI in 2014 and calls into question the reliability and ultimate security of external services.

The update also has direct parallels in the commercial world. Now, as we approach the first anniversary of the implementation of the European Union’s GDPR, all organisations must consider how secure their document destruction techniques really are in practice.

According to the policy outlined by Her Majesty’s Government’s information system, there are three levels of security classification: ‘Official’, ‘Secret’ and ‘Top Secret’. Security classifications are designed to indicate the sensitivity of information and are decided by the potential impact of a breach.

Recent update by the CPNI

The ‘Official’ standard represents the majority of information that’s created and processed by the public sector. Virtually all organisations hold personal and sensitive personal data, and many would consider this to be more confidential than the lowest ‘Official’ security standard.

The recent update made by the CPNI speaks volumes, then. By removing its approval, it’s apparent that external document destruction services are only trusted at a basic level by central Government. Those that have used (or are still using) mobile paper destruction or waste-to-energy incineration services should urgently re-evaluate. 

Interestingly, the conclusive statement made by the CPNI declares: “If end users wish to continue using these types of destruction techniques for classified material above ‘Official’, they do so at their own risk.” While the CPNI recognises that some circumstances can still be managed by external destruction techniques, it’s clear that the organisation is trying to mitigate any unnecessary security issues.

The promised convenience and security from external services can appeal to so many organisations. However, on closer inspection, there are a range of risks that present themselves at each stage of the process. Aside from the added possibility of theft, accidental loss or even espionage, the security of documents is in danger throughout the entire shredding process.

Security standards collapse

When shredding in-house, organisations are able to immediately destroy documents to their required particle size. Compare this to external services and we begin to see where security standards collapse. It’s often the case that whole documents containing confidential data are left for days or weeks in basic receptacles with minimal security only for them to then be moved to different locations prior to destruction.

Even after the shredding process has taken place the security of documents is still in question. The particle size produced in a typical shredding vehicle (when equipped with a P-1 high volume shredder) can be at least ten times larger than a regular crosscut (P-4) office shredder.

In light of the GDPR, organisations should be proactive and audit their document destruction processes to ascertain that they meet security requirements. By outsourcing data destruction, organisations lose an element of control. Handing the responsibility to another party means data handlers are immediately trusting people and processes over which they have no control and may never have fully investigated.

Furthermore, certificates of destruction are not viewed as a defence in the event of a data breach that has been a result of inadequate data destruction. Unless an individual document that has been listed on the certificate of destruction can be traced, what value can they have and how can they protect the data handler? Shredding at the source is the best way to assure security.

Cutting out the middleman

Cutting out the middleman not only presents additional security benefits, but also cost saving advantages. The seemingly small monthly fee offered by external services can be attractive at first, but can soon equate to a significant annual cost. Taking document destruction in-house can save both money and time.

If it wasn’t clear before, it most certainly is now. Both the risk and responsibility of confidential data destruction lies with the data handler. Shifting to a third party service can involve unnecessary risk and become surprisingly expensive. If official Government bodies now question the reliability and security of such services, shouldn’t all organisations be taking heed of that warning?

Mark Harper is Head of Sales (Office Technology) for the UK and Ireland at HSM 

Sources

https://www.cpni.gov.uk/secure-destruction

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715778/May-2018_Government-Security-Classifications-2.pdf

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts