GUIDELINE - Principles of records destruction

By Warren Richardson,2014-11-26 10:38
9 views 0
GUIDELINE - Principles of records destruction

ARMS Intranet - HomeARMS Internet - Home

    Principales of records destruction

    This Guideline sets out the 5 principles that should be

    followed by United Nations offices to ensure that records

    are destroyed in a proper and accountable way.

    ; Principles of records destruction

    ; Methods of destruction

    ; Using a contractor to destroy records

    ; Destroying sensitive information

    ; Appendix A: Checklist for records


    Principles of records destruction

    Records destruction should be:

    ; authorised

    ; appropriate

    ; secure/confidential

    ; timely, and

    ; documented

    These principles are dealt with in more

    detail below.

    1. Authorised

    There are at least two levels of

    authorisation required for the

    destruction of records:

    ; formal disposal

    authorisation by ARMS,

    usually in the form of a

    Records Retention Schedule

    ; internal authorisation

    (signing off) through a

    business unit's internal

    approval process.

    Authorisation by ARMS

    Records Retention Schedules are

    the instruments which provide the formal disposition authorisation upon which a UN office can act. A record which is authorised for destruction in an approved and current retention schedule may be destroyed at the end of the

    appropriate retention period, if it is no longer required by the UN office.

    Authorisation by the business unit

    While retention schedules set a minimum period for retention, it is also important to ensure that the business unit has no further business or administrative needs for the records. This can be done by ensuring that there are

    appropriate internal authorisation or approval processes in place, for example, by providing appropriate staff with lists of records due for destruction.

    A business unit must not dispose of any records required for current or pending investigatory action or where the records may be required as evidence in an internal or external investigation. A business unit must not destroy records that are the subject of a public access request.

    Following this type of review, an appropriate officer should give the final internal approval for the destruction of records. Each business unit must ensure that an officer is nominated and made responsible for this process.

    2. Appropriate

    Appropriate methods for

    destruction are:

    ; irreversible, and

    ; environmentally friendly.

    These are dealt with in more detail



    Destruction of records should be

    irreversible. This means that there

    is no reasonable risk of the

    information being recovered again.

    Failure to ensure the total

    destruction of records may lead to

    the unauthorised release of

    sensitive information.

    A number of cases have been

    reported in the media where

    records have been found

    "unearthed" in local garbage

    containers after they had been

    buried, or left in cabinets that had

    been sold. Records have also been

    found on the hard drives of

    computers that have been sold.

    Such occurrences are very bad

    publicity for your department and

    the United Nations as a whole. Environmentally friendly

    Records should be destroyed in an

    environmentally friendly manner.

    Both paper and microforms should

    be recycled where possible.

    3. Secure/Confidential

    Records should always be disposed of with the same level of security that was maintained during the life of the records. Wherever possible, destruction of records should be supervised by an officer of the United Nations or by another authorised agent if destruction has been contracted out.

    Please note that extra care should be given to records containing sensitive personal information. These should be disposed of securely to ensure the information is safeguarded against loss, unauthorised access, use or disclosure.

    Lockable containers may be used for particularly sensitive records. Sensitive records that are not places in garbage containers should be transported in totally enclosed and lockable vehicles (to prevent records falling off the back of trucks!) and destroyed in the presence of an officer of your business unit. Sensitive records may also be shredded ‘in-house’ before being

    sent for pulping. Any in-house shredding should still be approved through the normal internal and external approval processes.

    4. Timely

    While records should not be destroyed while there is still a need for them, it is also important not to keep records longer than is necessary, to minimise storage costs and retrieval efficiency. If a decision is made to retain records longer than the minimum retention period a record of the reasons for the decision should be documented to assist disposal at a later date.

    Records are usually destroyed when they have reached the end of a specified retention period. However, prior to their destruction, you must ensure that the records are no longer required. Therefore timely destruction must be balanced by senior management.

    5. Documented

    The destruction of all records must be documented, so that your business unit is able to ascertain whether a record has been destroyed. Proof of destruction may be required in investigation proceedings or in response to access requests.

    Recordkeeping systems and any other documentation should note which

    retention schedule authorises the destruction of the records. The specific schedule number should be documented along with the date of destruction. You may also wish to keep a destruction register that would link individual records to be destroyed to consignments sent for

    destruction. This register, together with a certificate of destruction, will serve as proof that records have actually been destroyed.

    The certificate of destruction should be placed on a file together with any other destruction documentation, for example, records of internal approval. A record of the method of destruction should also be placed on the file if this is not already noted on the certificate of destruction. Back to top

    Methods of destruction

    There are a number of different methods of destruction appropriate for the different media on which the records are stored. These methods have been outlined below. Paper records


    The security provided by

    the shredding of records

    depends on how finely the

    paper is shredded. Cross

    shredding may be needed

    for particularly sensitive

    documents. Shredded paper

    may be pulped and recycled,

    or may be used for

    insulation or other purposes.


    Pulped paper is reduced to

    its constituent fibres. If

    carried out correctly, it is a

    very secure method of

    destruction. Pulped paper is

    usually recycled.


    Records should only be

    burnt if there is no

    environmentally friendly

    method of destruction

    available, such as in a field

    operation environment.

    Records should be burned in

    accordance with any

    environmental guidelines

    and local burning

    restrictions. Densely packed

    paper does not burn well, so

    burning should be

    undertaken in an industrial

    facility (not in an


    Important: Burying is not an appropriate method of destruction. The records are not destroyed immediately and may take months or even years to break down. Records that are buried may also be uncovered within hours or days of being buried.

    Electronic/magnetic media

    Magnetic media

    Records stored on magnetic

    media can be "bulk erased"

    by subjecting them to a

    strong magnetic field. For

    secure destruction magnetic

    media can be reformatted.

    Backup copies of the

    records also need to be

    destroyed. The media can

    then be reused. Note: just

    deleting does not remove

    data from magnetic media

    and is therefore not

    sufficient for the destruction

    of records.

    Optical media

    Records held on optical

    media can be destroyed by

    cutting, crushing, or other

    physical means of

    destruction. Rewritable

    optical disks should also be

    reformatted before being

    disposed of or re-used.

    Although other physical

    means of destruction, such

    as microwaving, can be

    used, these are often only

    useful for very small

    quantities. Care should also

    be taken with microwaving

    due to fumes produced and

    possible harm to the

    microwave oven if ‘over-


    Hard drives

    Hard drives of personal

    computers and servers

    should be reformatted

    before computers are

    disposed of.

    Important: Do not just delete files from electronic media such as floppy

    disks, rewritable optical disks and

    hard disks, as the information can be recovered. Be sure to reformat. Non-electronic and non-paper media

    Videos, cinematographic film and microforms (microfilm/ fiche/ aperture cards/ x-rays) can be destroyed by shredding, cutting, crushing or chemical recycling.

    Back to top

    Using a contractor to destroy records


    Contractors can be engaged to destroy records. However, it is the responsibility of the business unit to ensure that destruction occurs in accordance with the approved methods of destruction. Make sure you know what method of

    destruction your contractor is using. Transport of records

    The contractor can collect records from your office for destruction, or you can deliver the records to them. A closed truck should be used whenever possible.

    However, if there is no alternative and the contractor can only provide an open truck, ensure that the load is secured by a cover. Sensitive and confidential records should only be conveyed in a closed and lockable vehicle.


    Always insist on a certificate of destruction. If records that were supposed to be destroyed are subsequently found, the certificate is evidence that the contractor was at fault, not your business unit. It is important to request that the certificate of destruction includes the method used. Back to top

    Destroying sensitive information

    There are different types of sensitive information to be aware of. Particular care must be taken in handling and destroying sensitive information.

    Personal information

    Some business units collect a great deal of information about individuals, and much of this information is quite sensitive, for example investigation, health or welfare records. Even records relating to the licensing of drivers, professions, trades, and commercial activities may contain personal information that could be

    sensitive. All personal information must be managed in accordance with the

    requirements of the United Nations

    Information Security Principles.

    Personnel files are a prime example of records containing personal information that have strict access and security restrictions while the records are active. This level of security should be maintained throughout the entire life of these records including during the destruction process.

Financial or commercially

    sensitive information

    Records may contain information of a commercially sensitive nature. Examples include files containing information on a business unit’s financial position, tender bids, and any information that may give an unfair financial advantage to another. Information given in confidence

    Records may contain information that is given on condition that the information is not released. Examples include personal information and financial information, information given by government agencies (foreign governments, interstate/federal bodies) and information from any source where the provider specifies that it is given in confidence.

    Information relating to an


    Records relating to an investigation, usually into malpractice or criminal activity, may contain sensitive information. With such records, it is important to ensure that sensitive information is not released through inadequate or

    inappropriate destruction techniques. Information posting a security risk

    Records may contain information dealing with high security risk activities and premises. Examples of such records are plans of buildings, security plans, procedures for the delivery of large amounts of money, and security

    arrangements for movements of VIPs and others.

    Back to top

    Appendix A: Checklist for records destruction

    The records are authorised for destruction under a relevant and current

     records retention schedule

    The organisation no longer requires the records

    The records are not the subject of a current or pending investigation or access request

    Internal authorisation has been obtained

     The records have no special security requirements


     The records have high security level and locked containers and/or in-house

    shredding are required for security destruction

    Appropriate service provider contacted

    A covered van or truck specified for records removal

    Service provider asked to supply certificate of destruction

    Specified that records are to be destroyed on day of collection

    Certificate received by your business unit

    Records destroyed and details of destruction documented in your records

     management system.

Report this document

For any questions or suggestions please email