IAPF11. Secure Disposal and Destruction Policy. Lancashire County Council Information Assurance Policy Framework. Purpose

Transcription

1 IAPF11 Secure Disposal and Destruction Policy Purpose This policy is part of the council's information assurance framework and establishes the secure disposal and destruction requirements necessary for the council to implement its strategic objectives for information governance in accordance with the Information Governance Policy. All physical records containing personal or otherwise sensitive data whether on paper, removable media or ICT devices such as laptops, must, when no longer needed, be destroyed promptly and securely. The specific objective of this policy is to define standards for the secure disposal and destruction of the council's information assets when no longer required. Standards are required so that the council can meet its obligations under the Data Protection Act 1998 and other legislation and to meet its commitments to partner organisations and members of the public regarding the custody of information. The standards defined allow for the establishment of effective, risk based procedures and guidelines for implementing information assurance and reinforce the council s commitment to ensuring that its information assets are protected and secure. Scope This policy applies to all employees, partners and, as appropriate, third party staff engaged on council business and who have access to information assets and associated systems and storage devices. All records and information directly handled by employees and agents of the council are covered by this policy. All staff must dispose of information that is no longer needed in a way which avoids or minimises the risk of unwanted disclosure of sensitive records or information. This policy covers the physical disposal information assets in any form. Information assets include information on paper, in files, diaries and notebooks; information on shared drives, in accounts and personal drives; and on allowed electronic devices (Laptops, CD/DVD's, and Blackberry's etc.). The issue of whether particular records should be destroyed at any particular time is outside the scope of this policy. This is covered in the Records Management and Data Protection policies. However, physical destruction decisions must take those policies into account.

2 Risk Assessment The main categories of risk within the council are: Emerging issues affecting the council and its services. New projects and service developments. Current issues or developments within the council's existing services. Monitoring of performance measures. On-going provision of the council's services. The Information Governance Policy defines how the management of each risk category should be evidenced and each category should be considered in applying appropriate secure disposal and destruction standards. Managers must ensure that standards which reflect this policy are in place and that staff are aware of the reasons for these and the expectations around compliance. All staff, when handling information or using systems, must dispose of information in a way which avoids or minimises the risk of unwanted disclosure of sensitive records or information. The level of protection must consider the nature and sensitivity of the information assets so that the standards applied ensure appropriate protection is maintained at all times. Standards Once the decision is made to dispose of records or equipment the redundant items must be kept secure until actual disposal or destruction occurs. Devices containing sensitive or personal information should be physically destroyed or the information should be destroyed, deleted or overwritten using techniques to make the original information non-retrievable. This should be checked prior to disposal or re-use. Damaged devices containing sensitive data may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded 1. (ISO27002 Paragraph 9.2.6). The secure disposal and destruction of ICT equipment, including Laptops and PCs etc. is the responsibility of One Connect Limited who operate a secure disposal contract with an external recycling firm. Any external recycling firm must be compliant with: The Waste Electrical and Electronic Equipment (WEEE) Regulations. BS EN 15713:2009 Secure destruction of confidential material Code of practice. 1 See the References Section for more information

3 Printed material containing personal or otherwise sensitive data should be disposed of promptly and securely when no longer required. This should only be carried out using the confidential waste bins provided by the corporately approved confidential waste disposal contractor. General waste recycling and office waste bins must not be used for the disposal of confidential waste. When rooms are vacated or files, cabinets, cupboards, vehicles or any other item which may hold printed material/removable media, devices are disposed of, they should be checked to ensure that records are not left behind. All such checks should be thorough and include a check of every space which might hold records. This would include, for example, the removal of drawers from cabinets and desks. Any records found should be destroyed, filed or archived. Records which are to be archived should be sent to the Records Management Service. Records Management Service will then undertake disposal processes when and if appropriate. Physical records which have become the subject of a Freedom of Information Act request should not be amended or destroyed. This is an offence under the Freedom of Information Act. Housekeeping and office security procedures should be followed to minimise the chance of losing copies of information which should be destroyed. References Data Protection Act 1998 Code of Conduct for Employees Records Management Policy BS ISO/IEC 27002:2005, the code of practice for information security management. The standard quoted in this policy is seen as best practice and should be applied. The protection applied to all information assets should be assessed in accordance with the council's Information Classification Scheme. The council's information assurance policy framework is designed to provide a layered approach to information security and assurance, ensuring that suitable precautions are adopted in all situations. Individual policies should not be considered in isolation but rather as elements of the whole.

4 Governance and responsibilities All Managers are responsible for ensuring that relevant policies and supporting standards and guidance are built into local processes and that there is on-going compliance on a day to day basis. Any breaches or suspected breaches of confidentiality or information security must be reported in accordance with the Security Incident Management Policy. Managers must ensure that all employees responsible for handling information assets are aware of and understand the requirements of this policy. All Managers are responsible for the identification of existing or emerging information risks relating to their service area and either addressing or reporting the issues to CIGG for consideration. Where risks cannot be addressed locally, or require input from another party, e.g. One Connect limited, they should be reported in accordance with the Security Incident Management Policy to ensure the issue can be considered by CIGG. All staff, including permanent, temporary, contractors and any individual who has been given access to the council's network, systems or other information must comply with this policy and are expected to report non-compliance or weaknesses to their line manager or in accordance with the Security Incident Management Policy if appropriate. Confidential waste contractors who remove and destroy unwanted records are, under the Data Protection Act, acting only as agents of the council and responsibility for security remains with the council until actual destruction occurs. Compliance Non-compliance with this policy could have significant effects on service delivery and may adversely impact individuals, waste resources and cause reputational damage to the council. The SIRO and CIGG are responsible for ensuring overall compliance with the Policy. The council's code of conduct for employees sets out the behavioural standards that must be upheld by all employees of the council and forms part of the council's terms and conditions of employment. Compliance with this policy is mandatory. Non compliance may result in action being taken under the council's Disciplinary Procedure and could result in dismissal from employment with the council. A breach of policy involving a partner or third party organisation will be treated as a security incident and investigated in accordance with the Security Incident Management Policy. Appropriate action will be agreed with the SIRO taking into consideration any specific contractual recourse or sanctions available. Definitions Secure disposal Means that information is destroyed in such a way that reconstruction of the unwanted data is very unlikely.

5 Information Asset A body of information defined and managed as a single unit so it can be understood, shared, protected and exploited effectively.

6 Document Control Organisation Lancashire County Council Title IAPF12 Secure Disposal and Destruction Policy Author Ian Shipcott Filename Owner County Secretary & Solicitor (SIRO) Subject Information Governance Protective Marking Not Protectively Marked Review date Revision History Version Status Revision Date Summary of Changes Author 0.1 Draft 30/1/13 First Draft I Shipcott Review and Approvals Title Name Signature IG Project Lead CIGG SIRO Date of Issue Distribution This document has been distributed to: Name Title Date of Issue Version