The role of secure shredding services in the NHS

For the NHS and other healthcare providers, managing data is absolutely essential to maintain the integrity of patient records. The United Kingdom Security Shredding Association explains why

Organisations involved in healthcare inevitably create mountains of data on electric devices and plenty of paperwork.  Clearly, it is vitally important for anybody that holds sensitive data to manage it properly. For the NHS and other healthcare providers, managing data is absolutely essential to maintain the integrity of patient records.

In 2014, the Federal Bureau of Investigation warned American hospitals and healthcare companies to ensure their data security was strong. This was because hackers were targeting what was considered easy to access patient data.

Often, this data was more valuable to criminals than credit card data, because typically people noticed something wasn’t right and cancelled their credit card details. With medical records, people are often unaware that their data has been stolen. But stolen medical records can be used as a way to create a false identity to obtain NHS medication for an improper purpose such as to sell or send abroad.

Potentially, stolen records can be used to bribe people about conditions that they might not wish to reveal for professional or personal purposes. There is also the moral right that people’s personal information should be kept secure. Alternatively, stolen data from NHS operations such as procurement or commissioning can also be used by criminals to issue false invoices or to purchase drugs.

According to the NHS Counter Fraud Authority, fraud costs the NHS £1.29 billion a year. That’s enough to pay for over 40,000 staff nurses or to purchase 5,000 frontline ambulances.

GDPR regulations
There is also a duty on NHS and other health and social care providers to meet the provisions of both the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).  In some (but not all) cases, patients will also have a right for their data to be erased under GDPR.

Simon Ellin, chief executive of the United Kingdom Security Shredding Association (UKSSA), said: “Since the introduction of GDPR, we have seen how it has become even more important for data to be handled and destroyed securely. Anything from hard drives to paper records may need to be destroyed, and anyone procuring shredding services must ensure that high standards are met. By employing an UKSSA member, you know that you are getting the very highest secure shredding and data destruction possible.”

UKSSA members are audited every two years to ensure they meet the association’s code of practice. This means they must consistently provide stringent operational standards in confidential data destruction including compliance with EN15713:2009 – the standard on secure destruction of confidential material.

Ellin adds: “What defines UKSSA is our high standards required in our Code or Practice. Members are audited before they are allowed to join the association, and then re-audited every two years. UKSSA membership should be seen as a condition in ensuring your confidential data is 100 per cent safe.”

NHS guidelines call for paper-based disposal to meet the government’s Information Assurance Standard. Rather than using a traditional vertical shredding operation, this means paper records be destroyed using a micro cross cut shredder that cuts paper into pieces of no more than 15mm x 4mm. This is in line with the EN15713:2009 standard that UKSSA members must meet and ensures destruction of sensitive information.

The NHS guidance also calls for shredding to occur on site prior to disposal or removal. This means mobile shredding units can be driven to a healthcare facility to allow on-site destruction. Alternatively, incineration processes may also be used for paper-based data or other types of printed media. A certificate of destruction from a specialist waste disposal contractor is required on completion. This certificate can be provided by UKSSA members.

For electronic devices such as hard drives, old computers or solid state drives, again the EN15713:2009 standard is specified in NHS guidelines. The Waste Electrical and Electronic Equipment (WEEE) regulations also apply on ensuring the devices are disposed of as sustainably as possible.

Devices should be wiped on site prior to being taken off site for destruction. UKSSA members can advise on meeting both secure shredding requirements and the most sustainable disposal option, including recycling, as part of the WEEE regulations. Solid state drives such as flash drives and SD cards should be destroyed using disintegration processes. For CDs, DVDs and Blu-Ray discs, these must be shredded to 4mm x 15mm, and ideally recycled where possible.   

Ellin says: “Secure shredding and destruction of sensitive data is absolutely vital for NHS and other healthcare providers. Many UKSSA members are healthcare destruction specialists, and I would strongly advise that you need to meet the highest data destruction standards. By using an UKSSA member, you can be assured those standards and NHS guidelines will be met.”

Shred Station profile
Shred Station is an accredited member of UKSSA, and is a specialist in the destruction of confidential data. The company offers secure and environmentally friendly shredding services to thousands of individuals and businesses across the UK, both on-site and off-site, including many clients in the health and social care sector.

Hospitals, local health trusts, clinical commissioning groups, doctor and GP surgeries, medical centres, private clinics, cosmetic surgeries, dental practices, pharmacies, care home providers and domiciliary care organisations are all among the type of clientele that use Shred Station for the destruction of confidential information.

Shred Station’s bespoke shredding services can be tailored to suit the exact needs of the client, and can be arranged on a regular or an ‘as-and-when’ basis.

Here is how they operate a mobile shredding service:

So, how does a mobile shredding service work?
A majority of healthcare providers typically require shredding to occur on-site. The first step of organising a mobile shredding service is determining the materials you need shredded and the quantity of these materials.

Once you have established how much you need shredded, Shred Station or other UKSSA members can provide you with an appropriate quantity of lockable confidential waste bins or cabinets to store your sensitive data prior to collection. This step ensures your data is safe from start to finish.

When your data is ready for shredding, staff will arrive in uniform at your premises. Every single member of Shred Station’s workforce is vetted to BS7858 standards, which includes 10-year background and financial checks, so you know your data is in safe hands. The operatives will then transfer your documents and materials onto a secure mobile shredding vehicle.

Once behind a caged door, operatives will place the data directly into the shredder located on board. After destruction is complete, a Certificate of Destruction and Waste Transfer Note will be issued, confirming the safe destruction of your data in compliance with European standards.

All shredded paper will then be baled off-site and sent to UK mills for recycling. Where possible, other materials are sent for recycling, turned into refuse-derived fuel, or are incinerated under strict controls to generate energy for the National Grid. UKSSA members always try to avoid sending material to landfill.

What can a mobile shredder destroy?
Mobile shredding vehicles house industrial shredders on board which are capable of destroying over 400,000 sheets, 160 boxes, or 800 reams of paper every single hour. There’s also no need for clients to remove staples, paper clips, or even the plastic wallets from documents before their destruction. The shredders can handle all materials, and 100 per cent of paper is recycled at UK mills.

But that’s not all. Mobile shredders can destroy many other things in addition to paper. The industrial shredders can also destroy clothing and uniforms, ID cards, X-Rays, photographic prints, digital media such as CCTV tapes and USB sticks, hard drives, and electronics.

What measures do UKSSA members take to ensure the safety of data?
Shred Station’s services are incredibly safe and the company is accredited to the highest standards of security, including membership with UKSSA. Other accreditations include ISO 9001:2015 incorporating EN15713, ISO 14001:2015, PCI DSS compliance as a Level 1 Service Provider, Cyber Essentials certification, accredited membership of the BSIA, and several more.

UKSSA members ensure their entire workforce is security vetted, and there are many other safety measures in place to protect the data of their clients.

Depots are all protected with enhanced security measures, including secure entry systems, comprehensive CCTV and audio recordings, and bespoke alarm systems.

Mobile shredding vehicles are also equipped with many security features. Each truck is fitted with a four-camera CCTV system, driver monitoring, GPS tracking, and many other safety features to protect road users. Materials that are shredded onboard enter into an airtight compartment, which cannot be accessed again until the shredded materials are unloaded and baled at one of the secure depots.