You cover methods of destruction in a policy and they are appropriate to prevent disclosure of personal data prior to, during or after disposal.
Ways to meet our expectations:
- For paper documents, you use locked waste bins for records containing personal data, and either in-house or third party cross shredding or incineration is in place.
- For information held on electronic devices, wiping, degaussing or secure destruction of hardware (shredding) is in place.
- You either hold, collect or send away securely confidential waste awaiting destruction.
- You have appropriate contracts in place with third parties to dispose of personal data, and they provide you with appropriate assurance that they have securely disposed of the data, for example through audit checks and destruction certificates.
- You have a log of all equipment and confidential waste sent for disposal or destruction.
Can you answer yes to the following questions?
- Is there a secured location for waste collected daily until collected for disposal internally or by a third party?
- Is there a secure storage area for equipment awaiting disposal?