4 minute read
Secure shredding services in the NHS
from Health Business 19.2
by PSI Media
Secure shredding services in the NHS
For the NHS and other healthcare providers, managing data is absolutely essential to maintain the integrity of patient records. The United Kingdom Security Shredding Association explains why
Organisations involved in healthcare inevitably create mountains of data on electric devices and plenty of paperwork. Clearly, it is vitally important for anybody that holds sensitive data to manage it properly. For the NHS and other healthcare providers, managing data is absolutely essential to maintain the integrity of patient records.
In 2014, the Federal Bureau of Investigation warned American hospitals and healthcare companies to ensure their data security was strong. This was because hackers were targeting what was considered easy to access patient data.
Often, this data was more valuable to criminals than credit card data, because typically people noticed something wasn’t right and cancelled their credit card details. With medical records, people are often unaware that their data has been stolen. But stolen medical records can be used as a way to create a false identity to obtain NHS medication for an improper purpose such as to sell or send abroad.
Potentially, stolen records can be used to bribe people about conditions that they might not wish to reveal for professional or personal purposes. There is also the moral right that people’s personal information should be kept secure. Alternatively, stolen data from NHS operations such as procurement or commissioning can also be used by criminals to issue false invoices or to purchase drugs.
According to the NHS Counter Fraud Authority, fraud costs the NHS £1.29 billion a year. That’s enough to pay for over 40,000 staff nurses or to purchase 5,000 frontline ambulances.
There is also a duty on NHS and other health and social care providers to meet the provisions of both the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). In some (but not all) cases, patients will also have a right for their data to be erased under GDPR.
Simon Ellin, chief executive of the United Kingdom Security Shredding Association (UKSSA), said: “Since the introduction of GDPR, we have seen how it has become even more important for data to be handled and destroyed securely. Anything from hard drives to paper records may need to be destroyed, and anyone procuring shredding services must ensure that high standards are met. By employing an UKSSA member, you know that you are getting the very highest secure shredding and data destruction possible.”
Shredding on site
UKSSA members are audited every two years to ensure they meet the association’s code of practice. This means they must consistently provide stringent operational standards in confidential data destruction including compliance with EN15713:2009 – the standard on secure destruction of confidential material.
NHS guidelines call for paper-based disposal to meet the government’s Information Assurance Standard. Rather than using a traditional vertical shredding operation, this means paper records be destroyed using a micro cross cut shredder that cuts paper into pieces of no more than 15mm x 4mm. This is in line with the EN15713:2009 standard that UKSSA members must meet and ensures destruction of sensitive information.
The NHS guidance also calls for shredding to occur on site prior to disposal or removal. This means mobile shredding units can be driven to a healthcare facility to allow on-site destruction. Alternatively, incineration processes may also be used for paper-based data or other types of printed media. A certificate of destruction from a specialist waste disposal contractor is required on completion. This certificate can be provided by UKSSA members.
For electronic devices such as hard drives, old computers or solid state drives, again the EN15713:2009 standard is specified in NHS guidelines. The Waste Electrical and Electronic Equipment (WEEE) regulations also apply on ensuring the devices are disposed of as sustainably as possible.
Devices should be wiped on site prior to being taken off site for destruction. UKSSA members can advise on meeting both secure shredding requirements and the most sustainable disposal option, including recycling, as part of the WEEE regulations. Solid state drives such as flash drives and SD cards should be destroyed using disintegration processes. For CDs, DVDs and Blu-Ray discs, these must be shredded to 4mm x 15mm, and ideally recycled where possible.
Ellin says: “Secure shredding and destruction of sensitive data is absolutely vital for NHS and other healthcare providers. Many UKSSA members are healthcare destruction specialists, and I would strongly advise that you need to meet the highest data destruction standards. By using an UKSSA member, you can be assured those standards and NHS guidelines will be met.”
So, how does a mobile shredding service work?
A majority of healthcare providers typically require shredding to occur on-site. The first step of organising a mobile shredding service is determining the materials you need shredded and the quantity of these materials.
Once you have established how much you need shredded, shredding companies can provide you with an appropriate quantity of lockable confidential waste bins or cabinets to store your sensitive data prior to collection. This step ensures your data is safe from start to finish. When your data is ready for shredding, staff will arrive in uniform at your premises. The operatives will then transfer your documents and materials onto a secure mobile shredding vehicle.
Once behind a caged door, operatives will place the data directly into the shredder located on board. After destruction is complete, a Certificate of Destruction and Waste Transfer Note will be issued, confirming the safe destruction of your data in compliance with European standards.
All shredded paper will then be baled offsite and sent to UK mills for recycling. Where possible, other materials are sent for recycling, turned into refuse-derived fuel, or are incinerated under strict controls to generate energy for the National Grid. UKSSA members always try to avoid sending material to landfill.
Mobile shredding vehicles house industrial shredders on board which are capable of destroying over 400,000 sheets, 160 boxes, or 800 reams of paper every single hour. There’s also no need for clients to remove staples, paper clips, or even the plastic wallets from documents before their destruction. The shredders can handle all materials, and 100 per cent of paper is recycled at UK mills.
But that’s not all. Mobile shredders can destroy many other things in addition to paper. The industrial shredders can also destroy clothing and uniforms, ID cards, X-Rays, photographic prints, digital media such as CCTV tapes and USB sticks, hard drives, and electronics. L
FURTHER INFORMATION
www.ukssa.org.uk
