- Summary of process
- Disposal and destruction
- Principles of Destruction
- Methods of Destruction
- Using a contract service
- Sensitive Information
- Appendix A
- Appendix B
Purpose These guidelines have been prepared for personnel in New South Wales public offices who are responsible for arranging the destruction of State records as part of a program of authorised records disposal in accordance with Part 3 of the State Records Act 1998.
These guidelines provide practical advice on the physical destruction of hardcopy and digital records.
When undertaking the destruction of records, it is necessary to ensure that:
- the records are no longer required for undertaking the business of the organisation (i.e. you have checked and confirmed that they are not required by business units for ongoing business)
- the records are not required for legal proceedings, an application for access (such as the Government Information (Public Access) Act 2009 or the Privacy and Personal Information Protection Act 1998 for example), or other inquiries
- destruction of the records is permitted or approved in accordance with the requirements of the State Records Act 1998
- the records are no longer required to be retained to fulfil any other statutory and regulatory requirements for retention
- there is documentation identifying which records have been destroyed, when they were destroyed, how they were destroyed and under what authority, and
- the records have been destroyed in an appropriate manner.
Appendix A of this guideline contains a checklist which can be used by public offices to ensure that they are undertaking best practice records destruction.
The terms 'disposal' and 'destruction' are often used interchangeably, but disposal does not always mean destruction, and there are a number of ways a record can be 'disposed of', including through the transfer of ownership.
Disposal is defined as a ‘range of processes associated with implementing appraisal decisions. These include the retention, deletion or destruction of records in or from recordkeeping systems. They may also include the migration or transmission of records between recordkeeping systems, and the transfer of custody or ownership of records.’ (Australian Standard AS 4390 - 1996, Records Management, Part 1 Clause 4.9)
Destruction is the complete and irreversible physical erasure of the record which ensures that the record cannot be reconstituted or reconstructed.
The disposal of State records is subject to the terms of the State Records Act. Under the Act there are a number of ways to legally dispose of State records:
- with the permission of State Records through general retention and disposal authorities covering common classes of records created by public offices, or functional retention and disposal authorities covering the records that are unique to a particular public office
- under provisions of certain legislation that authorise the destruction of certain records
- in accordance with 'normal administrative practice' (NAP). NAP provides for the routine destruction of certain records of a generally facilitative nature. For further information on NAP see Normal Administrative Practice
- by an order of a court or tribunal.
Section 21 of the State Records Act imposes a penalty for the illegal disposal of State records. All public offices must be able to account for their decisions to destroy records. If you destroy a record, you must be able to demonstrate that the destruction was permitted.
Records destruction should be:
- timely, and
Authorisation required for the destruction of records includes:
- formal disposal authorisation by State Records, usually in the form of a general or functional authority
- internal authorisation (signing off) through an organisation's internal approval process, and
- delegation / authorisation for an individual to undertake the physical destruction records.
Authorised by State Records
Retention and disposal authorities are the legal instruments, issued by State Records, which provide the formal authorisation for the disposal of records in accordance with the provisions of the State Records Act. They set mandatory minimum retention periods. A record which is authorised for destruction in an approved and current retention and disposal authority may be destroyed at the end of the minimum retention period, if it is no longer required by the public office and the retention and disposal authority identifies that the record can be destroyed rather than being required to be transferred to archival custody.
For advice on applying retention and disposal authorities to records, see Implementing a retention and disposal authority.
Authorised by your organisation
While retention and disposal authorities set mandatory minimum periods for retention, it is also important to ensure that your organisation has no further business or legal needs for the records. This can be done by ensuring that there are appropriate internal authorisation or approval processes in place. For example, providing the manager of the business unit that created and controls the records with lists of records proposed for destruction and asking them to confirm that the records are no longer required for legal, administrative, audit or financial reasons. Implementing a retention and disposal authority contains a sample records destruction authorisation form. This process can also be managed through electronic workflow mechanisms available in some electronic document management systems.
Remember, a public office must not destroy any records:
- required for current or pending legal action
- which may be required as evidence in a court case
- that are the subject of a current or pending access request or application, such as under the Government Information (Public Access) Act (GIPA), or privacy request, or
- are the subject of any other statutory access request.
If the retention and disposal authority was applied to the record on creation (commonly referred to as 'sentencing on creation'), or a period of time has elapsed since the retention and disposal authority was applied to the record, the public office should ensure that no information has been added to the record that would affect or change the retention period which has been applied to the record, and that circumstances have not changed which may require retention of the records for a further period of time.
Delegation/authorisation to dispose of records
Once all requirements for the disposal of records have been met, an appropriate officer in your organisation should give the final internal approval for the destruction of records. Each organisation should ensure that an officer is formally delegated with responsibility for this process and that this delegation is documented.
It is also important that records management staff have formal delegated authority to undertake the physical destruction of records or their transfer to archives, once signoff has been received from the business managers or other designated positions.
Records destroyed in natural disasters
There have been cases where records have been accidentally destroyed or severely damaged by natural disasters, such as flood or fire, before the minimum retention periods have been reached, or where there is no disposal coverage under a retention and disposal authority. In such cases advice from State Records should be sought before arrangements are made for the disposal of the records.
2. Appropriate destruction
The destruction of records should be irreversible, and environmentally friendly.
Destruction of records should be irreversible. This means that there is no reasonable risk of the information being recovered again or the record being reconstituted. Failure to ensure the total destruction of records may lead to the unauthorised release of information and potential breaches of the Privacy and Personal Information Protection Act 1998, which requires public offices to comply with twelve information protection principles to protect personal information.
A number of cases have been reported in the media where hard copy records have been found 'unearthed' in local garbage tips after they had been buried, left in cabinets that had been sold, and put out on the street by contract cleaners when they were placed in ordinary recycling bins. Any record stored on digital media is particularly vulnerable to abuse and illicit collection. There are many horror stories of information abuse and illicit information collection through the obtainment of hardware that has not been appropriately 'cleaned' or sanitised. Even when the records do not contain sensitive or personal information, such occurrences are very bad publicity for your organisation and the New South Wales Government as a whole.
The destruction of digital records is different to the destruction of hardcopy records. In particular, simply pressing 'delete' does not necessarily mean that the records are completely gone. While the link used to access them may be removed, they may still exist in a data store or on a server in the organisation. In other words, the deletion of a file or the reformat of a hard drive may not always be adequate. As it is increasingly difficult and expensive to completely destroy a digital record, methods of digital records media 'sanitisation' have been devised to help organisations to implement digital records destruction. (See below under Methods of Destruction).
In the case that a public office may be subjected to a discovery order, information requested that may be found as a digital record, may be ordered for reproduction regardless of whether the record is still in use for business purposes of not. Steps taken and documented to destroy the record may be a time and money saving exercise. It is also important to note that according to the State Records Act records retained by a public office, even after they are no longer in use, must still be accessible. This means that the cost of retaining a record will continue even if the record is no longer in use.
Records should be destroyed in an environmentally friendly manner. Both paper and microforms should be recycled where these facilities exist.
3. Secure / Confidential destruction
Records should always be disposed of with the same level of security that was maintained during the life of the records. The destruction of highly sensitive, personal or confidential material should be supervised by an officer of the organisation or by another authorised agent if destruction has been contracted out. For example, some records may require two officers to supervise the removal of the material to the point of destruction, ensure the destruction is complete, and sign a destruction certificate.
Extra care should be given to records containing sensitive information (see also section below on Sensitive information). Section 12 of the Privacy and Personal Information Protection Act 1998 states that a public sector agency must dispose of sensitive personal information securely to ensure the information is safeguarded against loss, unauthorised access, use or disclosure.
For hardcopy records lockable 'wheelie' bins should be used. Records should be transported in totally enclosed and lockable vehicles (to prevent records falling off the back of trucks). Sensitive records may also be shredded 'in-house' before being sent for pulping. The decision to shred records should be incorporated into the organisation's disposal authorisation processes (see Authorised Destruction section above).
4. Timely destruction
While records should not be destroyed while there is still a need for them, it is also important not to keep records longer than is necessary. Premier's Memorandum M2007-08 Efficient and Cost Effective Management of Records requires all agencies [and public offices] to apply the decisions in retention and disposal authorities to records and ensure "that they are destroyed promptly and securely when their retention period has ended."
The timely implementation of retention and disposal authorities helps to:
- reduce the cost of records storage
- reduce the time and cost associated with finding and retrieving records, and
- minimises the risks of unauthorised destruction of records.
Remember, timely destruction must be balanced by internal authorisation. Records are usually destroyed when they have reached the end of a specified retention period. However, prior to their destruction, you must ensure that the records are no longer required and that there is confirmation from the organisation that the records can be disposed of. If a decision is made to retain records longer than the mandatory minimum retention period, then the reasons for the decision should be documented to assist disposal at a later date.
5. Documenting the destruction of records
The destruction of all records must be appropriately documented, so that your organisation is able to ascertain if and when a record has been destroyed. Proof of destruction may be required in legal proceedings or in response to Government Information Public Access (GIPA) requests. Recordkeeping systems and any other documentation should note:
- the date of the destruction
- identification of who/what undertook the destruction
- an authorisation reference for the destruction (e.g. FA234 2.4.5; GA27 1.2.3; By court order; NAP etc.).
Keeping a destruction register of individual records in consignments sent for destruction, together with a certificate of destruction, will serve as proof that records have actually been destroyed. The certificate of destruction should be appropriately captured into a recordkeeping system together with other destruction documentation, for example, records of internal approval. A record of the method of destruction should also be documented if this is not already noted on the certificate of destruction.
There are a number of appropriate methods of destruction for the media on which records are stored.
The security provided by the shredding of records depends on how fine the paper is shredded. Cross shredding in a two axis shredder may be needed for particularly sensitive documents. Shredded paper may be pulped and recycled, or then used for other purposes such as insulation.
Pulped paper is reduced to its constituent fibres. If carried out correctly, it is a very secure method of destruction. Pulped paper is usually recycled.
Burning records is not recommended and should only be used as a last resort if there is no environmentally friendly method of destruction available. Densely packed paper does not burn well, so burning should be undertaken in an industrial facility (not in a backyard incinerator).
It is important to remember that the issue of digital records destruction is not driven by the media on which the record is stored, but by the information that forms the record that has been placed on the media.The process of erasing or overwriting data stored on digital media is sanitisation. The extent of sanitisation used generally depends on the classification of the record. Deciding which method to use to dispose of the media should be done through a a risk analysis of the information within the records contained on digital media to determine the sensitivity of the record and align the classification with a sanitisation technique. For further information on the classification and labelling of information, and what level of sanitisation is required, see the NSW Government Information Classification and Labelling Guidelines.
There are a range of media sanitisation products available. The Commonwealth Department of Defence has listed some of these on their evaluated product list (EPL). Not all media can be sanitised. Some media must be destroyed. Media that is suitable for sanitisation includes some magnetic media, erasable programmable read only memory (EPROM), electronically erasable programmable read only memory (EEPROM), volatile memory and non-volatile memory devices such as USB removable media, pen drives, thumb drives, flash drives and memory sticks. Other examples of media that can be sanitised include electrostatic memory devices within printers and photocopiers and video screens.
|Clear / overwrite||Using a method that clears records from media protects the record stored on that media from a keyboard attack (a keyboard attack is the search for data from resources available to the normal system users by an unknown entity).
Simple deletion is not the same as clearing as it is usually only removing the link within the system rather than removing the record. For media to be cleared the record must not be able to be retrieved through disk or file recovery utilities.
A typical and widely used example of clearing media is overwriting.
|Purge||Purging the media ensures that the information can not be recovered in a laboratory attack (a laboratory attack is a means of reconstructing information from digital media using nonstandard systems operating outside the media's usual working environment).
Purging differs from clearing, in that clearing is hiding the data under layers of nonsensical data (often new data can then be placed on top of the nonsensical data) whereas purging is randomising data so that it is no longer readable.
Some disk drives, especially those manufactured after 2001 may be sufficiently purged by using a clearing method such as overwriting.
Degaussing is an acceptable method of purging media which involves the exposure of magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains.
|Destruction||Destruction is the most extreme form of sanitisation and ensures that the media is drastically altered and can never be reused.
There are various methods of destruction including shredding, disintegration, incineration, and pulverisation and melting.
Special media formats
Due to its special nature, some media needs to be mechanically destroyed. This includes:
- Optical disks, including CDs and DVDs
- Programmable read-only memory
- Read-only memory
Videos, cinematographic film, and x-rays can be destroyed by shredding, cutting, crushing or chemical recycling.
Under the contract for the provision of Integrated Waste Management Services, all NSW Government departments, agencies, public health organisations and local government can procure secure destruction services as part of their waste management procurement. The contract is managed by NSW Procurement and further details of the contract are available from the NSW Buy website.
Following is some advice when procuring a suitable secure destruction service under the new contract.
Contractors can be engaged to destroy records. However, it is the responsibility of the public office to ensure that destruction occurs in accordance with the approved methods of destruction. Make sure you know what method of destruction your contractor is using. Appendix B contains a list of sample questions to ask a contractor.
Transport of records
The contractor can collect records from your office for destruction, or you can deliver the records to them. A closed truck should be used whenever possible. However, if there is no alternative and the contractor can only provide an open truck, ensure that the load is secured by a cover. Sensitive and confidential records should only be conveyed in a closed and lockable vehicle.
The contractor must supply you with a certificate of destruction. If records that were supposed to be destroyed are subsequently found, the certificate is evidence that the contractor was at fault, not your organisation. You may also want to request that the certificate of destruction includes the method of destruction used by the contractor.
There are different types of sensitive information to be aware of and particular care must be taken in handling and destroying records containing this information. This level of security should be maintained throughout the entire life of these records, including during the destruction process. Examples include:
- personal information
- financial or commercially sensitive information
- information given in confidence
- information relating to an investigation, and
- information posing a security risk.
Public offices collect a great deal of information about individuals, and much of this information is quite sensitive, for example criminal, health or welfare records. Even records relating to the licensing of professions, trades, and commercial activities may contain personal information that could be sensitive. All personal information must be managed in accordance with the requirements of the Privacy and Personal Information Act 1998.
Personnel files are a prime example of records containing personal information that have strict access/security restrictions while the records are active.
Financial or commercially sensitive information
Examples include files containing information on an organisation's financial position, tender bids, and any information that may give an unfair financial advantage to another.
Information given in confidence
Records may contain information that is given on condition that the information is not released. Examples include personal information and financial information, information given by government agencies (foreign governments, interstate/federal bodies) and information from any source where the provider specifies that it is given in confidence.
Information relating to an investigation
Records relating to an investigation, usually into malpractice or criminal activity, may contain sensitive information.
Information posing a security risk
Records may contain information dealing with high security risk activities and premises. Examples of such records are plans of buildings for correctional institutions or banks, procedures for the delivery of large amounts of money, and security arrangements for movements of heads of State.
Checklist for records destruction:
- Are the records authorised for destruction under a relevant and current retention and disposal authority?
- Does the organisation still require the records?
- Are the records the subject of a current or pending court case, GIPA application or Privacy request?
- Has internal authorisation for disposal been obtained?
- Do the records have special security requirements?
- If yes, have you organised the appropriate secure destruction service for these records (locked bins, in-house shredding, sanitisation, or authorised officer witnessing the destruction)?
- Have you contacted an appropriate service provider?
- Have you specified that a covered van/truck should be used for the removal of hardcopy records?
- Have you requested that the service provider provide you with a certificate of destruction?
- Have you specified that the records are to be destroyed on day of collection?
- Have you received the certificate of destruction?
- Can you confirm that the records were destroyed (either by a certificate of destruction or a note from an individual who witnessed the destruction)?
- Have you documented the details of the destruction in the organisation's recordkeeping system?
Sample questions to ask if using a contractor for the destruction of hardcopy records:
- What types of trucks are used?
- Are locked bins available?
- Where are the records destroyed? (on company premises)
- How will the records be destroyed? (methods)
- Can I witness the destruction?
- Are the records destroyed on the same day as collection?
- If same day destruction is not available, where are the records stored pending destruction?
- What type of supervision is provided when records are destroyed on another company's premises?
- Are there specific secure destruction services available?
- Are certificates of destruction provided and when are they sent?
First published 1996 (Destruction of hardcopy records) / First published 2008 (Destruction of digital records) / Revised July 2000 / Revised December 2003 / Revised 2005 / Revised 2010 / Revised December 2013 / Revised February 2015.