In light of new warnings about the use of third-party document shredding services for the destruction of secret Government documents, Mark Harper, HSM Head of Sales UK&I – Office Technology, argues that commercial organisations, too, should reassess their choices
In November 2018, the Centre for the Protection of National Infrastructure (CPNI), the UK government authority for protective security advice, released a definitive statement on the secure destruction of sensitive information and assets.
In short, this declares that with immediate effect, and excluding the Defence, Science and Technology Laboratory, mobile paper destruction and waste to energy incineration service providers are only accredited to destroy classified material to the lowest ‘OFFICIAL’ standard.
While the CPNI recognises that some circumstances can still be managed by external destruction techniques, it’s clear that they are trying to mitigate any security risks, stating: “If end users wish to continue using these types of destruction techniques for classified material above OFFICIAL, they do so at their own risk”.
This updates the previous guidelines set by CPNI in 2014 and calls into question the reliability and ultimate security of external services.
Levels of Security
The CPNI’s position has direct parallels in the commercial world, and, as we approach the first anniversary of GDPR, all organisations must now consider how secure their document destruction techniques really are.
According to the policy outlined by the HM Government administration system, there are three levels of security classification: OFFICIAL, SECRET and TOP SECRET. Security classifications are designed to indicate the sensitivity of information and are decided by the potential impact of a breach.
The OFFICIAL classification covers the majority of information created and processed by the public sector. Virtually all commercial organisations hold personal and sensitive data that many would consider to be more confidential than the lowest OFFICIAL security standard.
CPNI’s update is significant because, by making it clear that external document destruction services are only trusted at a basic level by government, it raises the question of whether commercial organisations that have used, or are still using, mobile paper destruction or waste to energy incineration services should urgently re-evaluate their choices.
The promised convenience and security of external services appeal to many organisations. However, on closer inspection, a range of risks present themselves at each stage of the process. Aside from the added possibility of theft, accidental loss or even espionage, the security of documents is at risk throughout the entire shredding process.
When shredding in-house, organisations are able immediately to destroy documents to their required particle size. Compare this to external services and we begin to see where security standards collapse.
It is often the case that whole documents containing confidential data are left for days or weeks in basic receptacles with minimal security before being moved to other locations prior to destruction. Even after the shredding process has taken place, the security of documents is questionable as the particle size produced in a typical shredding vehicle (when equipped with a P-1 high volume shredder) can be at least 10 times larger than a regular crosscut (P-4) office shredder.
In light of GDPR, organisations should be proactive and audit their document destruction processes to ascertain that they meet security requirements. However, outsourcing data destruction means data handlers lose an element of control. In handing responsibility to another party, they are placing trust in people and processes over which they have no control and which they may never have fully investigated.
Furthermore, under GDPR, certificates of destruction aren’t viewed as a defence in the event of a data breach caused by inadequate data destruction. Unless an individual document that has been listed on a certificate of destruction can be traced, what value do such certificates have and how can they protect the data handler? Shredding at source is the best way to assure security.
Cutting out the middleman and taking document destruction in-house not only delivers security benefits but also has time- and costsaving advantages, as the seemingly small monthly fees charged by external service providers can look attractive at first, but often add up to a significant annual cost.
If it wasn’t clear before, both the risk and responsibility of confidential data destruction lie with the data handler. Shifting to a third-party service can involve unnecessary risk and become surprisingly expensive. So, if official government bodies now question the reliability and security of these services, shouldn’t commercial organisations do the same?
HSM is a global provider of shredding, baling and waste compacting machinery for homes, businesses and large-scale commercial operations. Its products, which include the HSM SECURIO, HSM V-Press, HSM shredstar and HSM Powerline ranges, are manufactured in Germany and sold in more than 100 countries.