Disposal of sensitive information

Companies and individuals sometimes need to dispose of sensitive information. Some of the material that businesses routinely throw away could be of use to a wide variety of groups including business competitors, identity thieves, criminals and terrorists. The types of information include staff names and addresses, telephone numbers, product information, customer details, information falling under the Data Protection Act, technical specifications and chemical and biological data. Terrorist groups are known to have shown interest in the last two areas.

The standards for the destruction of highly protectively marked government material are perhaps more stringent than those which may apply to private sector organisations. Private sector organisations requiring more information regarding the disposal of sensitive information may wish to refer to British Standard BS8470, or contact the British Security Industry Association.

Particular care needs to be taken to effectively destroy digital media which may contain the personal and contact details of staff or customers and company confidential data. Digital media needs to be overwritten with random data several times to make the original data irretrievable; this should include all addressable locations and not just the file allocation table. Overwriting cannot be used for media that are damaged or otherwise not writeable; in these cases the media should be purged by degaussing with a strong magnetic field or destroyed.

The principal means of destroying sensitive waste are:

Shredding

Paper shredders shred to many different sizes and the size of shred you use will depend upon the type of information you are destroying. Highly confidential material should be shredded using a cross-cut shredder producing a shred size no more than 15mm x 4mm. This should ensure no more than two adjacent characters appear on any one piece of shred. Paper shredders can also be used to destroy diskettes, once removed from their casing; CDs and similar optical media can also be destroyed by cross-cutting or shredding. The shred size should be proportional to the confidentiality of the data, typical fragments should be no larger than 25mm2.

Incineration

Incineration is probably the most effective way of destroying sensitive waste, including disks and other forms of magnetic and optical media, provided a suitable incinerator is used (check with your local authority). Open fires are not reliable as material is not always destroyed and legible papers can be distributed by the updraft. Metallic-based digital media can be destroyed by melting.

Pulping

This reduces waste to a fibrous state and is effective for paper and card waste only. However, some pulping machines merely rip the paper into large pieces and turn it into a papier maché product from which it is still possible to retrieve information. This is more of a risk than it used to be because inks used by modern laser printers and photocopiers do not run when wet.

There are alternative methods for erasing electronic media, such as overwriting and degaussing.

Before investing in waste destruction equipment you should:

• If you use contractors, ensure that their equipment and procedures are up to the standard you require. Find out who oversees the process, what kind of equipment they have and whether the collection vehicles are double-manned, so that one operator remains with the vehicle while the other collects. Communications between vehicle and base are also desirable.
• Ensure that the equipment is up to the job. This depends on the material you wish to destroy, the quantities involved and how confidential it is
• Ensure that your procedures and staff are secure. There is little point investing in expensive equipment if the people employed to use it are themselves security risks
• Make the destruction of sensitive waste the responsibility of your security department rather than facilities management.