The importance of secure document disposal in the health service

Health information is some of the most sensitive data there is and all those who handle it have a legal duty to ensure that patient confidentiality is maintained at all times. This means that even when medical records are no longer needed, they must be disposed of in a safe and secure way

While a lot of healthcare bodies are moving towards paperless systems, there remain a vast quantity of paper records which require a safe disposal route. This ranges from patient files to test results, X-rays and medical records.
    
These are subject to a complex legal framework – including the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR) – which protects patients and ensures their data does not end up in the public domain.
    
As a result, all NHS Trusts should have their own dedicated Records Management Policy, to ensure full compliance with the law and many organisations have a dedicated Data Protection Officer.
    
So what is the best way to dispose of paper records to ensure that your legal duties are being met?
    
Security shredding is widely considered the most effective way of destroying both confidential documents and data storage media. But, according to NHS Guidelines, the use of a simple, traditional vertical shredder ‘is not suitable for sensitive or confidential information.’
    
Instead, the NHS advocates ‘the shredding of sensitive paper records to be conducted using a cross cut shredder’ in accordance with European standard BS EN 15713:2009 and the HMG Information Assurance Standard (IS5).

BS EN 15713:2009 gives businesses a framework to manage and control the destruction of any confidential material, demonstrating that they take security seriously. This means that whoever is shredding this material must meet strict security standards.
    
With this is mind, how can waste managers in the health sector ensure that their paper records and digital data are handled with the appropriate security measures in place?
    
According to Paul Caldwell, chair of the United Kingdom Security Shredding Association (UKSSA), healthcare waste managers can achieve peace of mind by looking for independent verification that the highest security standards are being met.
    
UKSSA is the only UK trade association solely dedicated to the security shredding industry and members have to pass a security audit before they can join and are audited every two years to ensure they are maintaining rigorous standards, incorporating both EN15713 and BS 7858 (screening of security personnel).
    
All UKSSA members must also deliver services which allow their customers to meet their obligations under GDPR.  
    
“Medical records contain huge amount of sensitive information which is protected by law, meaning it requires disposal which is 100 per cent safe and secure”, Mr Caldwell explains.
    
“UKSSA was founded 25 years ago to promote high standards in security shredding and we still live by that principle today. All our members are audited to the highest standards in the data destruction industry, meaning that if you employ an UKSSA member, you know you are getting a service you can trust.”
    
UKSSA members provide secure shredding services to healthcare providers across the country either on-site at the healthcare location – which is what the majority of healthcare providers require – or securely off-site at their state-of-the-art destruction centres.

Process
Typically, shredding services will see customers issued with high security, lockable confidential waste bins or cabinets to store material prior to collection. When the material is ready for shredding, vetted staff will come to site and transfer the material onto a secure mobile shredding vehicle kitted out with an industrial shredder, or take material off-site to a state-of-the-art destruction centre. Security is prioritised every step of the way.
    
At the end of this process, a Certificate of Destruction is issued to provide definitive proof that the process is complete.
    
All shredded material is baled and sent to paper mills for recycling into products ranging from paper towels to high quality printing papers, thereby benefiting the environment. Many security shredding providers also generate renewable energy to provide a significant proportion of the energy they use, helping contribute towards their customers’ environmental goals.
    
Shred Station is one UKSSA member company which provides secure shredding services for a wide array of health, social care and medical bodies.
    
Kristian Carter, commercial director at Shred Station, comments: “The healthcare sector handles a colossal amount of confidential information and special category data about patients.
    
“Having a reliable shredding service is vital to keep this information safe. As well as thinking about the destruction of paper documents, waste managers in the healthcare sector must also consider the destruction of items like X-rays, hard drives and old uniforms.
    
Kristian adds: “These are just some of the many services UKSSA members deliver to customers such as NHS Trusts, hospitals, GP surgeries, dentists and private healthcare companies. If your healthcare organisation needs to destroy paper or non-paper materials, a reputable shredding service supplier will be able to help.”

Records management
According to the NHS Records Management Code of Practice, the destruction of paper records can be carried out either in-house or by a third party. However, the code stresses that if an offsite company is used, the health care body or organisation is responsible for ensuring the provider chosen meets the relevant requirements. It explains that records that do not contain personal material can be destroyed in a less secure manner, but if in doubt should be treated as confidential.
    
“Do not use the domestic waste or put records on a rubbish tip to destroy identifiable, confidential material, because they remain accessible to anyone who finds them”, the Code of Practice warns.
    
The Information Commissioner (ICO) enforces data protection laws and if these have not been complied with, it can impose fines of up to £17 million or 4 per cent of global turnover for the most serious data breaches.
    
Since the start of this year, the ICO has taken action against six healthcare organisations, with health care one of the main sectors to be targeted. This action causes reputational damage and can be very costly too.
    
For this reason, it is vital that health care organisations do their due diligence when seeking a security shredding partner and look for independent verification that standards are being met.
    
Mr Caldwell said: “Ensuring health and care data is protected is critical in the health service and this is core to what UKSSA members do. We are the gold standard when it comes to security shredding and also provide a national network of fully audited members to ensure peace of mind for national and sub-contracted work.”
    
“By using an UKSSA member, you can be assured of that both your legal obligations and NHS guidelines will be met.”