The truth about international security standards

In the last 12 months, shredder sales have risen across the UK and most of Europe. On first look, this is positive news for all those involved with data protection, but we can’t rest on our laurels yet. News of regular fines show that many organisations still haven’t got it quite right. Mark Harper of HSM provides insight into why…

Almost a year on from the introduction of GDPR, the number of home and office shredders sales has risen on a global scale. Expectedly, the rise in sales can be linked to the ‘hot topic’ of data protection – a knock on effect from the GDPR regulation update in May 2018.

Yet, even those who are actively participating in new security procedures are still at risk. With the growing need to protect the security of confidential documents, it seems many may have jumped the gun – purchasing shredding solutions that might not actually fit their security needs.

The issue seems to reside with education. In particular, education around the official security standards, developed for the destruction of confidential data. Shredding solutions will cut to certain particle sizes, tailoring document security for all types of organisations.

However, with seven official levels of security, it’s important for data handlers to understand the needs of the different documents handled in their organisation. This is the only sure way to maintain the security of confidential data.

International security standards

Since 2012, the processes for shredding data carriers have been regulated by the EU’s DIN standard 66399. These security standards are designed to provide transparency and clarity for data handlers in their efforts to securely dispose of sensitive and confidential data.

Following GDPR, the standards were internationalised in August 2018 and are now governed by the International Organization for Standardization (ISO) – world renowned for developing and publishing international standards.

Different levels, different users

Home and office shredders are designed to cut paper into particles that coincide with the international security standards. With this in mind, shredding sensitive data at an incorrect or unknown level can nearly be just as detrimental as not shredding at all. Data handlers need to understand two key factors of document security – which security level each area of their organisation needs to be shredding at and what security level their shredders are cutting at.

The seven security levels, outlined by the ISO, are as follows;

P-1 and P-2

Security levels known as P-1 and P-2 are the lowest security levels available, with documents being ‘destroyed’ using strip-cut devices. Strip-cut paper waste is typically large, with many single sheets being cut down to around 20-50 strips only – depending on the width of the cut.

Because of this, there is a possibility for shredded documents to be reconstructed (particularly if waste is produced in small quantities). This level of shredding is not commonly used outside of the home and does not cover the security that many data handlers need. Even documents that can be commonly found in the home (e.g. bank statements and bills) are at risk when using strip-cut devices. The lowest levels of security still provide the highest degree of risk.

You might also like...  Recognising the early signs of burnout

P-3

The P-3 security level is a lower security cross-cut shred and is mostly used in smaller personal shredders. Whilst certainly more secure than strip-cut, it is at the lower end of security for shredding personal information.

Whilst it’s true that paper documents will benefit from the additional security that P-3 cross-cut provides, there is still a risk of reconstruction, especially when in small quantities.

P-4 and P-5

Also cross-cut solutions, both the P-4 and P-5 levels are most suited for use within conventional commercial environments. The use of cross-cut mechanisms enable data handlers to destroy paper documents at a level where reconstruction is near impossible.

Suited to general office shredding, at a P-4 level, shredders are typically capable of producing over 400 pieces per A4 page – a far cry from what is produced at P-1 and P-2.

For those dealing with highly sensitive personal data or commercial data, such as HR departments, finance and commercial outlets that regularly handle customer information, P-5 is a suitable security level. According to the Centre for Protection of National Infrastructure, part of the Home Office, destruction of anything below a P-5 level is suitable for shredding classified documents within government facilities. At P-5, documents are cut to produce around 2,200 pieces, giving a staggering potential of 19.5 million reconstruction possibilities per page.

P-6 and P-7

The highest of all security levels, P-6 and P-7 both destroy documents to a state where reconstruction is impossible via any current method.

Used at government levels and spanning to military forces, police HQs and security services, these levels of security are used for ‘Top Secret’ documentation. Although P-6 and P-7 levels are seen as the most secure and effective way of destroying confidential documents, they are not commonly needed for anything below the very highest-level confidential documents.

Knowledge is the key

These international security standards have been put in place for good reason. You only have to look into some of the fines issued by the Information Commissioner’s Office to see what happens when they’re not followed correctly.

No longer can we be under the illusion that owning a shredding solution is enough. When it comes to data protection, it’s just as important to understand and implement appropriate security levels as it is using a shredding solution. You must educate your organisation to protect your data.

Don’t forget to follow Dealer Support on Twitter!