When choosing a shredding services provider to destroy your confidential documents, there are a number of things you should consider.
Firstly, any responsible shredding service provider will be fully accredited to keep your confidential documents safe before, during, and after destruction.
Some of the key certifications you should look for as a starting point are ISO 9001:2015 incorporating EN 15713 and BS7858, ISO 14001:2015, as well as PCI DSS Level 1 Service Provider certifications. The receipt of these certifications demonstrates high levels of information security along with a stringent, compliant and functional business Quality Management System. When a supplier has these certifications, it’s a strong indicator that they are qualified to handle and destroy your confidential paperwork.
Once you find a fully certified supplier, you will typically find that their shredding operations meet at least one of two standards. EN 15713, or DIN 66399.
But what are the differences between EN 15713 and DIN 66399 standards, and why does it matter?
EN 15713 Standards
EN 15713 standards are, to summarise, a list of standards and recommendations for the management and control of confidential material destruction. They cover the whole process, from collection to destruction, as well as onward recycling and vetting of personnel and site security. These recommendations aim to aid companies to destroy confidential material responsibly and cover a broad scope of security measures. We summarise these security measures, as outlined in the BS EN 15713 Code of Practice, below. This information is correct at the time of publication.
The company should have an office or operational centre for keeping business documents, records, files etc., and this space should be separate from other business or activities on the same site.
The company premises should have installed an approved intruder alarm system covering the processing, storage and office areas. There should also be closed-circuit CCTV recording the unloading, storage and processing areas. The company must keep all CCTV for a minimum of 31 days unless an alternative agreement is in place with the company’s client. Additionally, authorised visitors can visit operational areas as long as they are supervised by appropriately screened personnel. Unauthorised visitors should not have any access to operational areas.
Contracts and Audit Trail
Between all clients and the company, there should be a written contract covering all transactions.
If a company sub-contracts any work where the sub-contractor destroys confidential material, the sub-contractor must also conform to EN 15713 standards. In every instance where the company uses a sub-contractor, they must inform the client.
Security Screening of Personnel
Businesses should screen all staff in the business to BS7858 standards and each member of staff must sign a deed of confidentiality. BS7858 screening involves criminal record checks, credit checks, five years of written employment verification and any gap verification. It also involves character references and right-to-work checks.
Collection of Confidential Material
All collections of confidential material should be made by staff that have received the proper training, are wearing identifiable clothing and are carrying photo ID. All materials collected should be protected from unauthorised access at every step, from the point of collection until destruction is complete. Where possible, confidential materials collected should also be stored in secure locked containers or containers secured by an individually numbered security seal.
Retention of Confidential Material
Confidential materials that are collected for destruction must be destroyed within one working day from the time of arrival at the destruction centre.
Off-Site Collection Vehicles
Off-site shredding collection vehicles should be box-bodied or have a secure demountable container. They should also be fitted with lockable or sealable doors and electro-mechanical immobilisers or alarm systems. They should be immobilised or alarmed when left unattended, and be locked and locked/sealed during transit. The operatives in the vehicles must have a clear line of communication available for contact with the company at all times. This could be via radio or telephone.
On-Site Shredding Vehicles
On-site shredding vehicles should be box-bodied and be fitted with lockable or sealable doors. The vehicle should never be left unattended when there is unprocessed confidential material on board. Nor should any unprocessed confidential material be removed from the client’s site. As with the off-site collection vehicles, the operatives in on-site vehicles must have a clear line of communication available with the company, either by phone or radio.
End Product Disposal
EN 15713 also covers how companies dispose of materials after destruction. Businesses should recycle all recyclable materials where practicable. Where recycling isn’t possible, consideration should be made regarding the environmental impacts, costs, and convenience of using other methods of waste disposal. At Shred Station, we recycle 100% of paper and all other materials where we can. Non-recyclable materials will be used to make refuse-derived fuel or sent to Energy from Waste plants. Nothing we shred goes to landfill.
As well as all of the above, BS EN 15713 standards also focus on shred material and shred size. These sizes should be suitable for rendering the material unreadable, illegible and not possible to reassemble. We outline these sizes and materials in the table below.
The information cited in the table above is taken from the BS EN 15713 Secure Destruction of Confidential Material Code of Practice. It is correct at the time of publication – August 21st 2020.
At Shred Station, we take many additional steps above and beyond the scope of EN 15713 to keep your confidential data secure. One of the most important additional benefits of using an industrial shredding company comes from commingling. This is a process where we mix all of the paperwork we collect before, during and after shredding. By commingling our customer’s data, we make sure all documents and fragments are spread amongst several tonnes of other paperwork. This makes documents truly impossible to put back together. We also have CCTV monitoring within our vehicles, not just at our sites. These are just a few of the many security features we employ.
In contrast to EN 15713, DIN Standards focus mainly on materials and the size of the shred, rather than the more comprehensive approach that EN 15713 covers.
DIN 66399 Standards
DIN (Deutsches Institut für Normung, or the German Institute for Standardisation) have thousands of standards that cover many fields. The DIN 66399 standard is the German national standard related to shredding. However, DIN 66399 isn’t as comprehensive as EN 15713 and focuses mainly on shred size and not general security. So, while you may hear of DIN in reference to paper shredding, it isn’t always the best way to measure security for shredding services in the UK.
Why do so many organisations and products refer to DIN standards?
The reason DIN standards might sound familiar is that most home or office shredders specify the DIN 66399 standard shred sizes in their product descriptions. For example, your home shredder may shred to DIN Level 1 Security or DIN P-1.
But what does this mean?
Under DIN 66399 standards, there are two main areas of focus. The first is the classification of data.
How is data classified?
Data is classified by DIN into protection classes. These classes are determined by how much protection that data needs and the level of security needed to destroy that data.
- Class 1 is data that there is a normal need for. While this data could contain personal information and should be protected, there is only a slight to moderate risk that any individual or business would be adversely affected by the unlawful access of this data. An example of Class 1 data could be a business telephone list, address details, or supplier data.
- Class 2 is data where there is a high demand for confidentiality. Any unauthorised access to Class 2 data could risk an individual or business experiencing significant adverse impairments. This could be financial or personal. An example of Class 2 data could be something like a business’s balance sheets or internal reports.
- Class 3 data is data with a requirement for a very high level of confidentiality. With Class 3 data, there must be a guarantee of protection of personal data. It also includes any data where the disclosure could pose a significant risk to health or even life. Examples of Class 3 data could be top-secret government documents or information that could identify individuals in witness protection.
The second area of focus is shred particle sizes. These particle sizes represent a level of security as determined by DIN.
What are the levels of security?
DIN has determined seven levels of security that shred sizes represent. Level 1 is the lowest level of security and the largest particle size. Level 7 is the highest level of security and the smallest particle size.
For example, your home shredder might destroy paperwork to DIN Level 1, or P-1. P-1 indicates that paper will be shredded into long strips of approximately 12mm in width. For an A4 piece of paper, this works out to be around 17 or 18 strips. This is the lowest level of paper shredding security according to DIN standards.
It is worth noting that the particle size requirements for meeting certain level may differ between materials. For example, to meet Level 3, the paper should be shredded to be smaller than or equal to 320mm². For electronic data media to fit under the scope Level 3, or E-3, the particle size must be a maximum of 160mm². The levels of security for each material feature in the table below.
The information cited in the table above is taken from the DIN 66399 Code of Practice, cited by the German Society for Data Protection and Data Security, and ProDevice EU. It is correct at the time of publication – August 21st 2020.
In general, Security Levels 1, 2 and 3 are generally recommended for Class 1 data. Class 2 data is usually recommended to be shredded to Level 3, 4 or 5. Class 3 data is recommended to be shredded to Security Level 4, 5 or 6.
While size is an important thing to consider when shredding, the wider security measures, such as those set out by EN 15713, are a better indicator of how safe a shredding service is.
Shredding Standards at Shred Station
Here at Shred Station, we incorporate EN 15713 within the scope of our ISO 9001 and ISO 14001 certifications. We do this so BSI, the auditor for ISO certifications, can audit us against the security clauses outlined in EN 15713. At Shred Station, we felt this was an important choice to make. We hope it gives our customers assurance that our security measures receive regular monitoring and audits from neutral third parties.
We would always recommend finding a provider who shreds to BS EN 15713 standards. This is because EN 15713 includes information security requirements rather than just the shred size specified in DIN standards.
Most reputable shredding companies will have this information listed on their website. If you’re unsure, it’s always best to ask.
Two additional certifications to look out for when choosing a shredding supplier are memberships with the BSIA (British Security Industry Association) and UKSSA (United Kingdom Security Shredding Association). The BSIA was a driving force behind the introduction of EN 15713 in the UK and are working on revising this currently. All BSIA members undergo stringent verification of certifications when joining. They have led and shaped Britain’s security industry for over four decades, and our Commercial Director, Kristian Carter, is Vice Chairman of the BSIA’s Information Destruction section.
Much like the BSIA, becoming a member of the UKSSA involves several checks. With the UKSSA, members will receive an annual visit from a UKSSA representative who conducts a Code of Practice audit. This audit is to make sure companies comply with BS7858 and BS EN 15713 standards.
Shred Station is proud to be a fully compliant provider of data destruction services. We are also a member of the BSIA and UKSSA.
If you’d like to read the BSIA (British Security Industry Association) guide to EN15713, you can do so by clicking on this link: https://www.bsia.co.uk/zappfiles/bsia-front/Pdfs/141-en15713-compliant-companies.pdf
Sign up for our newsletter to receive alerts about new blog articles, data protection advice, and Shred Station news.