Records are maintained appropriately (1.4)

You must have a records management policy in place. 

The Records Management Code of Practice 2021 will support you in developing a policy and managing records appropriately. It provides a framework for consistent and effective records management based on established standards. It covers organisations working within, or under contract to the NHS in England. The Code also applies to adult social care and public health functions commissioned or delivered by local authorities.

It is important to note that data destruction can be physical (such as shredding) and digital (secure deletion). Your data disposal contracts and suppliers should reference or include guidance on disposal of electronic media containing personal or sensitive data. For further information including on the standards for secure deletion, please refer to the National Cyber Security Centre guidance.

Traditionally, paper-based disposal has consisted of simple vertical shredding. However, this method is not suitable for sensitive or confidential information. BS EN 15713:2009 and the HMG Information Assurance Standard (IS5) requires the shredding of sensitive paper records to be conducted using a cross cut shredder that cuts the paper into pieces of no more than 15mm x 4mm.

If your organisation uses third parties to dispose of (destroy by any means, including incineration) or archive personal data, there should be a contract in place which requires the third party to have appropriate security measures in place in compliance with data protection law.

The nature of the devices you are disposing of, and the devices themselves (such as paper, hard drives, USB memory sticks, CDs), will change over the course of your contract with a supplier. You therefore need to review contracts with suppliers periodically.

The contract with the supplier should also contain a provision allowing you, or a contracted third party auditor, to periodically audit them. The type of items that should be included in that audit are:

• onsite inspection of the contractor disposal site ensuring sufficient physical segregation of different customer disposal items
• observing the disposal journey from asset receipt to disposal and certification
• tracing a recently collected disposed of item(s) to track where they are in the disposal journey and how they are secured (especially if mid journey)
• if the items are to be recycled, examining a finalised refurbished asset for any data remnants
• ensuring paper records are secured and adequately referenced
• verifying the employment checks on a dip sample of employees from the disposal company
• tracing a dip sample of assets’ chain of custody documentation from collection to destruction and certification
• observing physical destruction of media

Your third-party supplier should record each item that has been disposed of on a destruction certificate. This can be one certificate per item, or multiple items on one certification. It is important that these items are known and can be referenced individually.

A destruction certificate with the following line item is not acceptable given that items have not been referenced individually and they are untraceable:

• 50 x SATA mixed sized hard drive destroyed 

Whereas a destruction certificate such as the below, where items are individually referenced and the disposal method is specified, would be acceptable:

• Hitachi (HGST) 500gb 500 GB 2.5 Inch 5400 RPM Sata Hard Drive (s/n 999787989ui9) status shredded
• Western Digital Scorpio Blue 500GB Sata 8MB Cache 2.5 Inch Internal Hard Drive (s/n WD21377878nh98) status shredded