15 September 2019
myroyalmail is updated daily

Dispose of information securely

To keep or not to keep? That is the question

Think Secure

When it comes to securely disposing of information, look no further, Think Secure are here to help. Here are our top three tips:

  • Securely dispose of information using confidential waste bins and always clear out your online recycle bins
  • Know your retention periods
  • Ensure you obtain a proof of destruction certificate.

Want to know more? Let us walk you through – and be sure to check out Think Secure’s ‘How To’ guide to assist you in securely disposing of your information.

We’re all guilty of data hoarding and being reluctant to delete or dispose of information that we no longer have a legitimate business or legal need for. However, retaining some types of information longer than we are allowed, or not managing it properly when no longer needed, can lead to information being leaked, or finding ourselves in contravention of the law, like GDPR.

The GDPR introduced harsher consequences for organisations retaining personal information for too long. A breach of this nature can lead to regulatory fines, reputational damage, and loss of business from customers. Holding onto other types of commercially sensitive information for longer than necessary can also be a risky move, as it increases the likelihood of information getting lost or stolen without your knowledge - this too, is a data breach.

Our information should be securely and appropriately disposed of and it is important that you are aware of how to do this, whether in an electronic format or paper documents. At all stages of the Information Lifecycle, you should constantly be asking yourself the question ‘to keep or not to keep’?

So what are my options for disposing of paper documents?

All Internal, Confidential and Strictly Confidential paper documents must be disposed of in a secure way when they are no longer needed using the ‘confidential waste bins’ or designated shredders in the office. This ensures that such documents are securely disposed of, unreadable and inaccessible to unauthorised persons.

Failure to correctly dispose of sensitive information puts us at serious risk of a data breach. This happens when unauthorised persons (known as dumpster divers) obtain the information that we have ‘thrown out’ without adequate safeguards. For example, in 2017 in Australia, more than 700 public patients had their privacy breached and potential delays in their follow-up care after more than 1,600 medical letters were found dumped in a Sydney bin. 

Remind yourself of what qualifies as Internal, Confidential and Strictly Confidential information:

  • Internal information is information that is accessible to all employees, agents and contractors relating to the ongoing business of RMG. e.g. internal emails or newsletters
  • Confidential information is personal data or information assessed to be of a sensitive nature and likely to cause damage following unauthorised disclosure. e.g. customer data (like names and addresses), employee records, project status updates
  • Strictly Confidential information is highly sensitive personal data or information assessed to be so sensitive that unauthorised disclosure would cause acute reputational damage to RMG e.g. staff payroll details, customer bank details, board papers.

Only public information can be disposed of using normal recycling bins.

Ask yourself – ‘even though I no longer have a need for this information, would it still be considered valuable to other unauthorised or unlawful individuals?’

When you throw away documents containing sensitive information, or even if you shred in-house and dump the remnants in the rubbish, dumpster divers can easily snatch and steal your hard copies. These thieves can then use that confidential data to breach your system. Once inside, they might discover a wealth of data in digital files you should have destroyed. Is it worth taking the risk?

Shred the risk of a data breach by ensuring that you handle your information in the correct way and dispose of it in the correct manner.

Electronic documents

Digital information that you store on your RMG laptop or work device also needs to be securely disposed of/deleted when it is no longer deemed necessary for lawful processing. This also makes for good information management – storing too much information that you don’t need costs us money in storage, and you in time when you need to find files.  

Have you ever wondered where information you ‘delete’ off your laptop goes? When you first delete a file or document on your device, it is moved to the computer's Recycle Bin, Trash, or something similar depending on your operating system. When sensitive information is moved into your Recycle Bin, it still exists and therefore hasn’t been securely disposed of, which doesn’t do much for reducing the risk to your information or Royal Mail.

When deleting a document from your device or from a SharePoint site you also need to delete it from your Recycle Bin. This ensures that it has been deleted from your machine and that it is no longer available or accessible.

Decommissioning information systems

Information stored on information systems, provided by Royal Mail or a third party supplier, should not be forgotten. If you are developing a new system or piece of software it is important that you consider what to keep, or not to keep, from the piece of kit you are currently using. Budget to decommission and seek guidance from Group Technology.

Click here for a step-by-step guide on how to securely dispose of information on your device or SharePoint site.

How do I know whether my information needs to be deleted or not?

So you know how to securely dispose of information, which is great, but do you know what information (and there’s a lot of it!) actually needs to be disposed of and when you need to delete it by? To keep or not to keep?

Confused? Don’t worry, Think Secure are here to help.

The new European General Data Protection Regulation (GDPR) means that retention and disposal of personal and sensitive information should be managed appropriately to avoid reputational damage and potentially huge fines. Your information should only be kept as long as it is deemed necessary for lawful processing as set out in the Royal Mail Group (RMG) corporate retention schedule (CRS).

Top tip

  • Try out ‘Tidy Friday’, where we suggest that you spend half an hour on Friday mornings each week going through the information you have held, filing what you need to keep and securely disposing of anything you no longer need. Without constant review, your folders and the information they hold will become unmanageable, which increases the chances of information being lost or held for longer than necessary. This puts us at serious risk of a data breach and regulatory non-compliance, which comes with hefty consequences.

Check the retention period of records you hold on the CRS for guidance on how long you can retain this. Below is a definition from ISO 15489:

Records ‘are information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business.’

Proof of destruction

For the information you store on external systems, or with trusted third party suppliers, it is important to gain assurance that these records are retained and securely destroyed in line with our requirements. To do this, you must ensure a Records Destruction Certificate is completed when the retention period or contract expires and forward this onto irgt@royalmail.com for record.

Information is the lifeline of our organisation and it is your responsibility to recognise the importance of keeping information accurate and safe when you create, share, store and when you no longer need it, dispose of it.

For further information on how to protect information, visit www.myroyalmail.com/ThinkSecure or contact us at ThinkSecure@royalmail.com.