Recent updates made by the Centre for the Protection of National Infrastructure (CPNI) raise a number of questions over the effectiveness of third-party document shredding services.
With the responsibility under GDPR to destroy documents containing personal information, is it time for organisations to take responsibility before it’s too late?
In November 2018, CPNI, the UK’s government authority for protective security advice, released a definitive statement on the secure destruction of sensitive information and assets.
In short, the statement declares that with immediate effect, mobile paper destruction and waste to energy incineration (excluding DSTL) service providers are only accredited to destroy classified material to the lowest “OFFICIAL” standard. This updates the previous guidelines set by CPNI in 2014 and calls into question the reliability and ultimate security of external services.
The update also has direct parallels in the commercial world. Now, as we approach the first anniversary of the implementation of GDPR, all organisations must consider how secure their document destruction techniques really are.
Levels of Security
According to the policy outlined by the HM Government’s administration system, there are three levels of security classification: OFFICIAL, SECRET and TOP SECRET. Security classifications are designed to indicate the sensitivity of information and are decided by the potential impact of a breach.
The OFFICIAL standard represents the majority of information that is created and processed by the public sector. Virtually all organisations hold personal and sensitive personal data, and many would consider this to be more confidential than the lowest OFFICIAL security standard.
The recent update made by the CPNI speaks volumes, then. By removing their approval, it’s apparent that external document destruction services are only trusted at a basic level by government. Those that have or are still using mobile paper destruction or waste to energy incineration services should urgently re-evaluate.
Interestingly, the conclusive statement made by the CPNI declares; “If end users wish to continue using these types of destruction techniques for classified material above OFFICIAL, they do so at their own risk.”. While the CPNI recognises that some circumstances can still be managed by external destruction techniques – it’s clear that they are trying to mitigate any unnecessary security issues.
The promised convenience and security from external services can appeal to so many organisations. However, on closer inspection, there are a range of risks that present themselves at each stage of the process. Aside from the added possibility of theft, accidental loss or even espionage, the security of documents is in danger throughout the entire shredding process.
When shredding in-house, organisations are able to immediately destroy documents to their required particle size. Compare this to external services and we begin to see where security standards collapse. It is often the case that whole documents containing confidential data are left for days or weeks in basic receptacles with minimal security, to then be moved locations prior to destruction. Even after the shredding process has taken place the security of documents is still in question. The particle size produced in a typical shredding vehicle (when equipped with a P-1 high volume shredder) can be at least 10 times larger than a regular crosscut (P-4) office shredder.
In light of GDPR, organisations should be proactive and audit their document destruction processes to ascertain that they meet security requirements. By outsourcing data destruction, organisations lose an element of control. Handing the responsibility to another party means data handlers are immediately trusting people and processes that they have no control over and may never have fully investigated. Furthermore, certificates of destruction aren’t viewed as a defence in the event of a data breach that has been a result of inadequate data destruction. Unless an individual document that has been listed on the certificate of destruction can be traced, under GDPR, what value can they have and how can they protect the data handler? Shredding at the source is the best way to assure security.
Cutting out the middleman not only presents additional security benefits but also cost saving advantages. The seemingly small monthly fee offered by external services can be attractive at first but can soon equate to a significant annual cost. Taking document destruction in-house can save both money and time.
If it wasn’t clear before, both the risk and responsibility of confidential data destruction lie with the data handler. Shifting to a third-party service can involve unnecessary risk and become surprisingly expensive. So, if official government bodies now question the reliability and security of these services – shouldn’t all organisations do the same?