Historically and in some cases today people and Organisations have disposed of waste paper through waste recycling streams and have not hired in an Onsite shredding service nor an offsite shredding service for documents that are no longer required.
Within this blog entry I will be discussed Waste Vs Data (Liability).
Under Waste Management Legislation paper contains a European Waste Catalogue (EWC) Code, now this code means that the material needs to;
- Be recycled in line with The European Waste Hierarchy
- Be handled and processed through an Organisation that have a waste permit.
Having a waste permit does not mean that you are a waste company and in turn, having systems in place to recycle paper does not mean that you are a Data Processor that provides paper shredding services (I will cover this in more detail later).
Organisations such as Construction firms, Removal firms and Storage firms have waste permits in order to carry their materials but none of these firms are waste operators. With this in mind, why would you release your confidential information that holds legislative fines of up to 20 Million Euro to a waste firm to recycle for you? Even if the waste firm offers “secure paper shredding services”, there is still no reason to justify releasing your data to them based on your legislative responsibility and obligations.
Data Processor Vs Materials Processor
A Data Processor is a person/Organisation who processes (E.g. Destroys) personal data on behalf of a Data Controller. A Data Controller is a person/Organisation who controls the contents and use of personal data (Any Organisation).
The key point to take away here is that Data Protection Laws only apply to Data Processors and Data Controllers. So, if a Data Controller (You) releases “waste” paper DATA to a waste firm to be recycled (Securely or not), under Data Protection Law you have released personal data to an Organisation who may not be a Data Processor and the waste firm may understand it as you (The Data Controller) has actually releases waste material (Paper material) for recycling. In the case of a data breach occurring here who do you feel will be at fault and who will receive the fines of up to 20 Million Euro, yes your correct, it will be you The Data Controller.
So when you are deciding upon what paper shred service to implement within your business, it is important to understand that you need a Data Processing Firm to destroy that data for you. If an Organisation is for example offering secure onsite paper shredding or secure offsite paper shredding they need to acknowledge that it is Data that they are processing for you.
For more information upon Data Protection and how to protect your business please contact one of our helpful team at;