Mark Harper of HSM argues that it is not enough just to buy and use a shredder. To provide the right level of security, data handlers must also gain an understanding of the different ISO security levels and which ones are most appropriate for the documents produced in their organisation
A year on from the introduction of GDPR, home and office shredder sales have risen across the world due to increased interest in the ‘hot topic’ of data protection, a knock-on effect of the GDPR regulation update of May 2018.
While this is positive news for all involved in data protection, shredder purchasers will still need to familiarise themselves with the official security standards developed for the destruction of confidential data, as failure to do so could mean they end up with a model ill-suited to their security needs.
In particular, data handlers will need to gain an understanding of the seven official levels of security and how they relate to the requirements of the document types handled within their organisation.
Given that shredding sensitive data at an incorrect or unknown level can be almost as detrimental as not shredding at all, data handlers need to know a) what security level each area of their organisation needs to be shredding at and b) what security level their shredders are cutting at.
International security standards
Since 2012, the processes for shredding ‘data carriers’ have been regulated by the EU’s DIN standard 66399, which is designed to provide transparency and clarity for data handlers in their efforts to securely dispose of sensitive and confidential data.
Following GDPR, in August 2018, the standards were internationalised and are now governed by the International Organization for Standardization (ISO), known the world over for developing and publishing international standards.
It defines seven different shredder security levels:
P-1 & P-2: Shredders with the lowest security levels, P-1 & P-2, destroy documents by cutting them into long strips – typically 20 to 50 strips per A4 sheet. Because these strips are relatively wide, there is a risk that shredded documents could be reconstructed (particularly if waste is produced in small quantities). This level of shredding is not commonly used outside the home and won’t provide the security that data handlers need. Even home users might want a more secure shredder if they plan to shred bank statements or bills. The lowest levels of security provide the highest degree of risk.
P-3: P-3 is a low security cross-cut shred that cuts pages into pieces rather than strips. P-3 is mostly used in smaller personal shredders and whilst more secure than strip-cut is at the lower end of the security spectrum for shredding personal information. Paper documents will benefit from the additional security that P-3 cross-cut provides, but there is still a risk of reconstruction, especially if shredding in small quantities.
P-4 & P-5: The next cross-cut security levels, P-4 & P-5, are the most suitable options for conventional commercial environments, as cross-cut mechanisms with these ratings enable data handlers to destroy documents to a level where reconstruction is near impossible. Suitable for general office use, P-4 level shredders can cut an A4 page into more than 400 pieces – a far cry from what is produced by P-1 and P-2 strip-cut shredders. P-5 is suitable for destroying highly sensitive personal data or commercial data, such as that produced by HR departments, finance departments and commercial outlets that regularly handle customer information. The Centre for Protection of National Infrastructure, part of the Home Office, states that anything below P-5 level is unsuitable for shredding classified documents within government facilities. At P-5, documents are cut into around 2,200 pieces, giving 19.5 million reconstruction possibilities per page.
P-6 & P-7: The highest security levels, P-6 and P-7, both destroy documents to a state where reconstruction is impossible via any current method. P-6 and P-7 levels are used for destroying ‘Top Secret’ documentation by Government bodies, the military, police forces and security services. They are the most secure and effective way of destroying confidential documents, and are not commonly needed for anything except the most confidential documents.
Knowledge is the key
ISO international security standards have been put in place for good reason. You only have to look at the fines issued by the Information Commissioner’s Office to see what happens when they’re not adhered to.
No longer can we be under the illusion that owning a shredder is enough. When it comes to data protection, it’s just as important to understand and implement the appropriate security levels for the documents in your organisation. You must educate your organisation to protect your data.
Mark Harper is HSM Head of Sales UK&I – Office Technology. HSM is a global provider of shredding, baling and waste compacting machinery for homes, businesses and large commercial operations. Its products, which include the HSM SECURIO, HSM V-Press, HSM shredstar and HSM Powerline ranges, are manufactured in Germany and sold in more than 100 countries.