Information Goverance - Confidentiality: Recycling
We have recently been asked for advice on the data protection implications of using a commercial company for recycling confidential waste paper. The company undertakes to bag up all paper securely, before taking it to their central recycling plant where all employees have been checked using the Disclosure and Barring Service and work under a contractual obligation of confidentiality.
The 6th principle of the UK Data Protection Act 2018 requires '...that personal data must be processed in a manner that includes taking appropriate security measures as regards risks that arise from processing personal data' to prevent accidental or unauthorised access to, or destruction, loss, use or disclosure of, personal data.
'Appropriate security measures' are not defined in the Act. However, since data concerning health is classified as 'special category' (sensitive) data, a very high level of data security is required.
We have been advised that it would be preferable for practice staff to shred all paper before it is sealed up and removed by the company and that the paper should be destroyed or recycled as soon as possible after removal from the practice to minimise risk. Both the company acting in the role of a Processor and the Practice, a Controller, have a legal responsibility for data security under the Data Protection Act 2018.
You should only use a highly reputable company and preferably one which guarantees compliance with ISO 9001 and ISO 17799 and the British Standard Code of Practice for the secure destruction of confidential material. The contract with the company should specify appropriate clauses in line with the Information Commissioner's Office .
It is of course essential to ensure that you only destroy those documents which you are not obliged by law, business, or common sense to retain!
Further information is available from: Records Management Code of Practice for Health and Social Care 2016