The ICO exists to empower you through information.

Data protection laws don’t only cover creating and sharing personal data – it also must be destroyed safely and securely when it’s no longer needed.           

Below, we’ve set out some simple and practical methods for destroying documents. This advice has been written with small organisations in mind.

Whether you’re a small organisation, a group or a sole trader that creates or deals with data, you’ll also need to have a plan in place for getting rid of this data, either because you’ve finished your contract with a customer or client, or a person contacts you specifically to ask for their data to be deleted.

No matter if it’s a pile of papers or a digital folder of information, it’s important to have a plan for how you’ll destroy it securely when you need to.

Destroy paper documents permanently and securely

Shredding is a common way to destroy paper documents and is usually quick, easy and cost-effective. Many retailers sell shredders for use within your office or premises, enabling you to shred and dispose of the documents yourself. If possible, consider recycling your shredded documents, as long as you can do this without leaving the data easily available to others during that time.

Alternatively, you could use a shredding service. Companies will come to your business, collect the documents and safely shred them for you. If you decide to take this route, make sure you’re satisfied they’re a reputable company that will destroy the documents securely.

For example, Jasmine owns a small high street retail shop. She keeps a paper record of the name, address and phone number of customers who have ordered deliveries. She files these by reference to the customer in a locked filing cabinet in date order.

Each month, she takes out the oldest papers that she has in her filing cabinet. She no longer needs these records, and they’ve reached the end of their retention period that Jasmine set out in her privacy notice, so she shreds them. Jasmine has checked that her shredder doesn’t leave identifiable information remaining on the paper, and she’s confident that it wouldn’t be possible to identify anyone from the leftovers. She recycles the sack of shredded paper, and there’s now space in her filing cabinet for upcoming orders.

Delete digital information and any back-ups

When removing or deleting data from computers and electronic devices, you need to be aware that electronic systems can have back-ups or background storage. This may mean that information is still held for a certain period of time, even after you think you’ve deleted it.

When you delete data electronically with the intention of destroying it, you need to make sure it’s no longer usable by you or anyone else. You shouldn’t be able to still access or use the data after you’ve deleted it, such as through your recycle bin. Often, digital systems will hold on to data in your bin until it’s automatically replaced or overwritten.

There are two methods available. You could try:

  • getting secure deletion software installed that will overwrite data one or more times; or,
  • seeking specialist IT advice if you need it.

Secure deletion software is available from IT security firms. There are also other free software products which you can download and use, but make sure it comes from a reputable source and double-check any claims made by the company.

You need to be able delete data securely from a range of devices and types of media, and you may decide that a third party can do this securely on your behalf.

For example, Helen runs a small financial advice firm. She holds personal data of her clients relating to their finances on her work laptop.

When Helen no longer needs the data of a client, she deletes their records from her laptop. The laptop has an automatic back-up system which means that the information is still saved in the background until it’s overwritten. Helen deletes the client’s records from her recycle bin, to make sure they’re really gone. She also knows of other copies of the same documents in her email ‘sent’ items, which she also deletes. Helen keeps a list of her process for deleting digital records securely so that she doesn’t forget any of her steps accidentally.

Check what contracts you have in place

You’ll need to check the credentials and processes of anyone you hire to help you (called ‘data processors’), to be sure your data will be deleted securely. You also need to have a contract  in place if you’re going to grant them access to the personal data you hold.