When choosing a shredding services provider to destroy your confidential documents, there are a number of things you should consider.
Firstly, any responsible shredding service provider will be fully accredited to keep your confidential documents safe before, during, and after destruction.
Some of the key certifications you should look for as a starting point are ISO 9001:2015 incorporating EN 15713 and BS7858, ISO 14001:2015, as well as PCI DSS Level 1 Service Provider certifications. The receipt of these certifications demonstrates high levels of information security along with a stringent, compliant and functional business Quality Management System. When a supplier has these certifications, it’s a strong indicator that they are qualified to handle and destroy your confidential paperwork.
Once you find a fully certified supplier, you will typically find that their shredding operations meet at least one of two standards. EN 15713, or DIN 66399.
But what are the differences between EN 15713 and DIN 66399 standards, and why does it matter?
EN 15713 Standards
EN 15713 standards are, to summarise, a list of standards and recommendations for the management and control of confidential material destruction. They cover the whole process, from collection to destruction, as well as onward recycling and vetting of personnel and site security. These recommendations are set out with the aims of ensuring companies destroy confidential material responsibly, and cover a broad scope of security measures. These security measures, as outlined in the BS EN 15713 Code of Practice, are summarised below. This information is correct at the time of publication.
The company should have an office or operational centre where business documents, records, files etc. are kept, and this space should be separate from other business or activities on the same site.
The company premises should have installed an approved intruder alarm system covering the processing, storage and office areas. There should also be closed-circuit CCTV recording the unloading, storage and processing areas. All CCTV must be retained for a minimum of 31 days unless otherwise agreed with the company’s client. Additionally, authorised visitors can visit operational areas as long as they are supervised by appropriately screened personnel. Unauthorised visitors should not have any access to operational areas.
Contracts and Audit Trail
Between all clients and the company, there should be a written contract covering all transactions.
If a company sub-contracts any work where the sub-contractor destroys confidential material, the sub-contractor must also conform to EN 15713 standards. In every instance where a sub-contractor is used, the client should be informed.
Security Screening of Personnel
All staff in the business should be screened to BS7858 standards and must sign a deed of confidentiality. BS7858 screening involves criminal record checks, credit checks, five years of written employment verification and any gap verification. It also involves character references and right-to-work checks.
Collection of Confidential Material
All collections of confidential material should be made by uniformed and trained staff carrying photo ID. All materials collected should be protected from unauthorised access at every step, from the point of collection until destruction is complete. Where possible, confidential materials collected should also be stored in secure locked containers or containers secured by an individually numbered security seal.
Retention of Confidential Material
Confidential materials that are collected for destruction must be destroyed within one working day from the time of arrival at the destruction centre.
Off-Site Collection Vehicles
Vehicles used for off-site shredding collections should be box-bodied or have a secure demountable container. Off-site shredding vehicles should also be fitted with lockable or sealable doors and electro-mechanical immobilisers or alarm systems. They should be immobilised or alarmed when left unattended, and be locked and locked/sealed during transit. The operatives in the vehicles must have a clear line of communication available for contact with the company at all times. This could be via radio or telephone.
On-Site Shredding Vehicles
On-site shredding vehicles should be box-bodied and be fitted with lockable or sealable doors. The vehicle should never be left unattended when there is unprocessed confidential material on board. Nor should any unprocessed confidential material be removed from the client’s site. As with the off-site collection vehicles, the operatives in on-site vehicles must have a clear line of communication available with the company, either by phone or radio.
End Product Disposal
EN 15713 also covers how materials are disposed of once shredded. All recyclable materials should be recycled where practicable. Where recycling isn’t possible, environmental impacts, costs, and convenience of using other methods of waste disposal should be considered. At Shred Station, we recycle 100% of paper and all other materials where we can. Materials that aren’t recyclable are used to make refuse-derived fuel or are sent to Energy from Waste plants. Nothing we shred goes to landfill.
As well as all of the above, BS EN 15713 standards also focus on shred material and shred size. These sizes are determined to be suitable to render the material unreadable, illegible and not possible to reassemble. These sizes and materials are outlined in the table below.
The information cited in the table above is taken from the BS EN 15713 Secure Destruction of Confidential Material Code of Practice. It is correct at the time of publication – August 21st 2020.
At Shred Station, we take many additional steps above and beyond the scope of EN 15713 to keep your confidential data secure. One of the most important additional benefits of using an industrial shredding company comes from commingling. This is a process whereby all the paperwork we collect is mixed together before, during and after shredding. By commingling our customer’s data, we ensure all documents and fragments are spread amongst several tonnes of other paperwork. This makes full documents truly impossible to retrieve. We also have CCTV monitoring within our vehicles, not just at our sites – just a few of many security features we employ.
In contrast to EN 15713, DIN Standards focus mainly on materials being shredded and the size of the shred, rather than the more comprehensive approach that EN 15713 covers.
DIN 66399 Standards
DIN (Deutsches Institut für Normung, or the German Institute for Standardisation) have tens of thousands of standards covering many fields. The DIN 66399 standard is the German national standard related to shredding. However, DIN 66399 isn’t as comprehensive as EN 15713 and focuses mainly on shred size and not general security. So, while DIN is often referred to, it isn’t generally the most appropriate measurement of security for shredding services in the UK.
Why do so many organisations and products refer to DIN standards?
The reason DIN standards might sound familiar is because most home or office shredders specify the DIN 66399 standard shred sizes in their product descriptions. For example, your home shredder may shred to DIN Level 1 Security, or DIN P-1.
But what does this mean?
Under DIN 66399 standards, there are two main areas of focus. The first is the classification of data.
How is data classified?
Data is classified by DIN into protection classes. These classes are determined by an assessment of the level of protection that data needs, and the level of security needed to destroy that data effectively.
- Class 1 is data which there is a normal need for. While this data could contain personal information and should be protected, there is only a slight-moderate risk that any individual or business would be adversely affected by the unlawful access of this data. An example of Class 1 data could be a business telephone list, address details, or supplier data.
- Class 2 is data where there is a high demand for confidentiality. Any unauthorised access to Class 2 data could risk an individual or business experiencing significant adverse impairments. This could be financial or personal. An example of Class 2 data could be something like a business’s balance sheets or internal reports.
- Class 3 data is data where there is a very high level of confidentiality required. With Class 3 data, the protection of personal data must be guaranteed. It also includes any data where the disclosure could pose a significant risk to health or even life. Examples of Class 3 data could be top-secret government documents or information that could identify individuals in witness protection.
The second area of focus is shred particle sizes. These particle sizes represent a level of security as determined by DIN.
What are the levels of security?
DIN has determined seven levels of security that shred sizes represent. Level 1 is the lowest level of security and the largest particle size. Level 7 is the highest level of security and the smallest particle size.
For example, your home shredder might destroy paperwork to DIN Level 1, or P-1. P-1 indicates that paper will be shredded into long strips of approximately 12mm in width. For an A4 piece of paper, this works out to be around 17 or 18 strips. This is the lowest level of paper shredding security according to DIN standards.
It is worth noting that the particle sizes required to meet a certain level may differ between materials. For example, to meet Level 3, paper should be shredded to be smaller than or equal to 320mm². For electronic data media to be considered shredded to Level 3, or E-3, the particle size must be maximum 160mm². We’ve outlined those levels of security for each material in the table below.
The information cited in the table above is taken from the DIN 66399 Code of Practice, cited by the German Society for Data Protection and Data Security, and ProDevice EU. It is correct at the time of publication – August 21st 2020.
In general, Security Levels 1, 2 and 3 are generally recommended for Class 1 data. Class 2 data is usually recommended to be shredded to Level 3, 4 or 5. Class 3 data is recommended to be shredded to Security Level 4, 5 or 6.
While size is an important thing to consider when shredding, it’s the wider security measures, such as those set out by EN 15713, that are a more accurate indicator of how safe a shredding service is.
Shredding Standards at Shred Station
Here at Shred Station, we choose to incorporate EN 15713 within the scope of our ISO 9001 and ISO 14001 certifications. We do this so BSI, the auditor for ISO certifications, can audit us against the security clauses outlined in EN 15713. At Shred Station, we felt this was an important choice to make. We hope it gives our customers assurance that our security measures are regularly monitored and audited from an unbiased third-party.
We would always recommend finding a provider who shreds to BS EN 15713 standards. This is because EN 15713 includes information security requirements rather than just the shred size specified in DIN standards.
Most reputable shredding companies will have this information listed on their website. If you’re unsure, it’s always best to ask.
Two additional certifications to look out for when choosing a shredding supplier are memberships with the BSIA (British Security Industry Association) and UKSSA (United Kingdom Security Shredding Association). The BSIA was a driving force behind the introduction of EN 15713 in the UK and are working on revising this currently. All BSIA members undergo stringent verification of certifications when joining. They have led and shaped Britain’s security industry for over four decades, and our Commercial Director, Kristian Carter, is Vice Chairman of the BSIA’s Information Destruction section.
Much like the BSIA, becoming a member of the UKSSA involves several checks. With the UKSSA, members will receive an annual visit from a UKSSA representative who conducts a Code of Practice audit. This audit is to make sure companies are compliant with BS7858 and BS EN 15713 standards.
Shred Station is proud to be a fully compliant provider of data destruction services and a member of the BSIA and UKSSA.
If you’d like to read the BSIA (British Security Industry Association) guide to EN15713, you can do so by clicking on this link: https://www.bsia.co.uk/bsia-front/pdfs/204-id-en15713%20-%20a%20guide.pdf
Sign up to our newsletter here to be alerted about new blog articles, data protection advice, and Shred Station news.