Confidentiality - Recycling
We have recently been asked for advice on the data protection implications of using a commercial company for recycling confidential waste paper. The company undertakes to bag up all paper securely, before taking it to their central recycling plant where all employees have been checked by the police and work under a contractual obligation of confidentiality.
Information Commissioner’s Office has advised us that the 7th Data Protection Principle applies in this situation:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
"Appropriate technical and organisational measures” are not defined in the Act. However, since all patient data is classified as sensitive personal data, a very high level of data security is required.
We have been advised that it would be preferable for practice staff to shred all paper before it was sealed up and removed by the company and that the paper should be destroyed or recycled as soon as possible after removal from the practice to minimise risk. The company would be acting in the role of Data Processors and the Practice Data Controller would retain legal responsibility for data security.
You should only use a highly reputable company and preferably one which guarantees compliance with ISO 9001 and ISO 17799 and the British Standard Code of Practice for the secure destruction of confidential material. The contract with the company should specify a level of data security, which is entirely acceptable to your Data Controller in terms of appropriate risk management.
It is of course essential to ensure that you only destroy those documents which you are not obliged by law, business, or common sense to retain!
Further information is available from: Records Management Code of Practice for Health and Social Care 2016