Secure Disposal Policy | Guidelines and Procedures | Electronic and IT Records and Systems | Disposing of Removable Media Devices | Template for FCA Applications and Authorised Firms

1 Policy Statement

[Your Company Name] (hereinafter referred to as the “Company”) confirms that we are committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner.

We have specific measures for deleting and erasing personal information documented in our Data Retention & Erasure Policy to ensure compliance with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA18).

 2 Purpose

The purpose of this document is to provide the Company’s statement of intent on how we dispose of secure information and confidential data in accordance with our legal, statutory and regulatory obligations. The Company ensures that we have: –

• a standardised and established approach to handling the disposal of confidential waste and information assets
• procedures in place for the disposal of secure waste; including hard copies, electronic formats and information assets
• a dedicated Retention & Erasure Policy within our GDPR/DPA18 program to comply with our data protection obligations
• guidance for staff on dealing with secure disposal and/or destruction
• controls and measures in place to comply with any regulatory or legal requirements as they relate to the disposal and destruction of confidential waste and hardware

3 Scope

This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.

4 Objectives

The Company have put into place numerous principles and processes for handling the disposal of confidential waste materials and information assets (information and physical), as detailed  below. The Company ensures that: –

• We have a standardised and established approach to handling the disposal of confidential waste and information assets
• We have procedures in place for the disposal of secure waste, both hard copies and electronic formats and information assets
• We provide guidance for staff on dealing with disposal and/or destruction
• We have robust controls and measures in place to comply with any regulatory or legal requirements as they relate to disposal and destruction
• Secure waste bins are used for sensitive and/or confidential wastepaper
• Confidential paper is never used a scrap or re-printed onto
• Confidential wastepaper is never placed into the general waste bin or outside disposal receptacle unless it has been securely shredded
• Waste will be stored in accordance with the waste disposal procedures if not collected immediately, that includes being locked away securely if left overnight, or in an unoccupied building
• Physical and IT assets are encrypted and/or reformatted prior to disposal
• The IT Manager must provide authorisation for assets removal and disposal
• Assets are disposed of in accordance with the manufacturer’s guidelines
• Assets, equipment and information are disposed of in an authorised, appropriate, legal and environmentally sound manner adhering to appropriate standards or codes of conduct [insert if you are accredited with ISO27001 or Cyber Essentials]

5 Guidelines & Procedures

Once a record, document or data has reached its designated retention period date, the designated owner should refer to the retention register for the action to be taken. Not all data or records are expected to be deleted upon expiration; sometimes it is sufficient to anonymise the data in accordance with the GDPR/DPA18 requirements or to archive records for a further period.

5.1 Destruction and Disposal of Records & Data

All information of a confidential or sensitive nature on paper, card, microfiche or electronic media must be securely destroyed when it is no longer required. This ensures compliance with the Data Protection laws and the duty of confidentiality we owe to our employees, clients and customers.

5.1.1 Paper Records

Due to the nature of our business, the Company retains paper based personal information and as such, has a duty to ensure that it is disposed of in a secure, confidential and compliant manner. The Company utilise [Onsite-Shredding or A Professional Shredding Service Provider] to dispose of all paper materials.

[Employee shredding machines/Confidential waste sacks/Insert process] are made available throughout the building and where we use a service provider for large disposals, regular collections take place to ensure that confidential data is disposed of appropriately.

5.1.2 Electronic & It Records and Systems

The Company uses numerous systems, computers and technology equipment in the running of our business. From time to time, such assets must be disposed of and due to the information held on these whilst they are active, this disposal is handled in an ethical and secure manner.

The deletion of electronic records must be organised in conjunction with the IT Department who will ensure the removal of all data from the medium so that it cannot be reconstructed. When records or data files are identified for disposal, their details must be provided to the designated owner to maintain an effective and up to date a register of destroyed records.

Only the [Named Person/ IT Manager/IT Department] can authorise the disposal of any IT equipment and they must accept and authorise such assets from the department personally. Where possible, information is wiped from the equipment through use of software and formatting, however this can still leave imprints or personal information that is accessible and so we also comply with the secure disposal of all assets.

In all disposal instances, the [Named Person/ IT Manager/IT Department] must complete a disposal form and confirm successful deletion and destruction of each asset. This must also include a valid certificate of disposal from the service provider removing the formatted or shredded asset. Once disposal has occurred, the [Named Person/ IT Manager/IT Department] is responsible for liaising with the information Asset Owner and updating the Information Asset Register for the asset that has been removed.

It is the explicit responsibility of the asset owner and [Named Person/ IT Manager/IT Department] to ensure that all relevant data has been sufficiently removed from the IT device and where applicable, backed up, before requesting disposal and/or prior to the scheduled pickup.

5.1.3 Disposing of Removable Media Devices

When the Company no longer has use for any removable media devices or where they are no longer functioning due to damage or corruption, they are securely disposed of to protect any remaining information and prevent data leakage or unauthorised access. All types of removable media are given to the [Named Person/ IT Manager/IT Department] for disposal and no employee is permitted to carry out this process themselves.

The [Named Person/ IT Manager/IT Department] formats all media types and ensures that information and materials have been fully removed from the device prior to disposal. However, as technology advances, the Company are aware that methods can existing to retrieve partial data or imprints from removable media and as such, secure disposal methods are still used as well as encryption techniques. The [Named Person/ IT Manager/IT Department] has access to specialist software and tools for the erasure, formatting and disposal of removable media types or where this is not possible, the Company employs a professional service provider to carry out this task.

[If you utilise a service provider for shredding documents and/or disposing of software or hardware, you can detail the provider here]

6 Responsibilities

The Company will ensure that all staff are provided with the time, training and support to learn, understand and implement this Secure Disposal Policy and subsequent procedures. Management are responsible for a top down approach and in ensuring that all staff are included and have the support needed to meet the regulatory requirements in this area.