Almost 20 years ago in the United Kingdom, The Data Protection Act 1998 (The Act) became law. This brought the UK in line with the EU Directive on data protection. One of the key principles of the Act is to ensure that confidential waste is securely destroyed.

Confidential waste can include any method of storage (including USB sticks, CD’s, computer hard drives and paper documents) that contain any personal information that can be used to identify individuals, including their name, address, contact numbers or any financial data. Examples of confidential waste might include invoices and quotes, records of employment or payslips, bank details, education or medical records and other documents such as memos, notes, emails or letters.

Failing to follow the instructions laid out in The Act may result in serious consequences – it requires organisations to ensure that they abide by proper data protection principles, including (but not limited to):

  • Information is to be used fairly and lawfully
  • Information is kept no longer than is necessary
  • Information is to be kept safe and secure.
  • In the confidential waste market, we often see an array of collection methodologies – examples might include:
  • On-site shredding (shredding is carried out at your site in front of you)
  • Off-site shredding (waste is taken securely to a processing site)
  • Containers may include sacks, bins or consoles – each one having disadvantages or advantages specific to an organisation.

To make things (perhaps purposefully) confusing, is that the numerous collection methods and suppliers available influences the prices paid for destruction, and collections are charged in a variety of ways. Examples include; by unit, by time on site, by minimum charge, by frequency of collection… the list goes on. Such is the nature of this specialist market that ERA’s waste team often see large variations in price paid from one client to another and one site
to another.

When faced with this level of complication, it is difficult for organisations to understand which option is best. Without specialist advice, this market can be a minefield of options, determining which supplier will keep data safe, which collection method is most efficient and which option is most cost-effective.

Most organisations have an obligation to put in place a collection system of one sort or another, some organisations do so to ensure they are following their own compliance objectives. However, Suppliers have responsibilities too; ensuring that the security of the data that they collect or deal with on site is not compromised and importantly providing certificates of destruction – a legal requirement that will negate risk of non-compliance for the producers of the waste.

Current data protection regulations are changing in 2018. The General Data Protection Regulations (GDPR) will come into force. These regulations will replace the Data Protection Act 1998. GDPR will give people the right to know how their data is handled, what their data is used for and how and when it is destroyed.

GDPR may potentially impact some firms that weren’t previously affected by the Data Protection Act. Additionally, a big incentive to ensure compliance is the substantial increase in the level of fine for non-compliance (up to 4% of company turnover or €20m).

With these stronger repercussions for non-compliance, organisations need to consider whether the cost saving of segregating non-confidential waste from confidential waste is worthwhile vs the risk of non-compliance. If most paperwork is confidential, then probably not. Knowing you have a system for secure destruction and a complete paperwork chain of waste transfer notes and certificates of destruction will be very important.

For more information on waste disposal management, please contact us.

Article by Pete Bramhall & Dan Howells