ARMS Intranet - HomeARMS Internet - Home
Principales of records destruction
This Guideline sets out the 5 principles that should be
followed by United Nations offices to ensure that records
are destroyed in a proper and accountable way.
; Principles of records destruction
; Methods of destruction
; Using a contractor to destroy records
; Destroying sensitive information
; Appendix A: Checklist for records
Principles of records destruction
Records destruction should be:
; timely, and
These principles are dealt with in more
There are at least two levels of
authorisation required for the
destruction of records:
; formal disposal
authorisation by ARMS,
usually in the form of a
Records Retention Schedule
; internal authorisation
(signing off) through a
business unit's internal
Authorisation by ARMS
Records Retention Schedules are
the instruments which provide the formal disposition authorisation upon which a UN office can act. A record which is authorised for destruction in an approved and current retention schedule may be destroyed at the end of the
appropriate retention period, if it is no longer required by the UN office.
Authorisation by the business unit
While retention schedules set a minimum period for retention, it is also important to ensure that the business unit has no further business or administrative needs for the records. This can be done by ensuring that there are
appropriate internal authorisation or approval processes in place, for example, by providing appropriate staff with lists of records due for destruction.
A business unit must not dispose of any records required for current or pending investigatory action or where the records may be required as evidence in an internal or external investigation. A business unit must not destroy records that are the subject of a public access request.
Following this type of review, an appropriate officer should give the final internal approval for the destruction of records. Each business unit must ensure that an officer is nominated and made responsible for this process.
Appropriate methods for
; irreversible, and
; environmentally friendly.
These are dealt with in more detail
Destruction of records should be
irreversible. This means that there
is no reasonable risk of the
information being recovered again.
Failure to ensure the total
destruction of records may lead to
the unauthorised release of
A number of cases have been
reported in the media where
records have been found
"unearthed" in local garbage
containers after they had been
buried, or left in cabinets that had
been sold. Records have also been
found on the hard drives of
computers that have been sold.
Such occurrences are very bad
publicity for your department and
the United Nations as a whole. Environmentally friendly
Records should be destroyed in an
environmentally friendly manner.
Both paper and microforms should
be recycled where possible.
Records should always be disposed of with the same level of security that was maintained during the life of the records. Wherever possible, destruction of records should be supervised by an officer of the United Nations or by another authorised agent if destruction has been contracted out.
Please note that extra care should be given to records containing sensitive personal information. These should be disposed of securely to ensure the information is safeguarded against loss, unauthorised access, use or disclosure.
Lockable containers may be used for particularly sensitive records. Sensitive records that are not places in garbage containers should be transported in totally enclosed and lockable vehicles (to prevent records falling off the back of trucks!) and destroyed in the presence of an officer of your business unit. Sensitive records may also be shredded ‘in-house’ before being
sent for pulping. Any in-house shredding should still be approved through the normal internal and external approval processes.
While records should not be destroyed while there is still a need for them, it is also important not to keep records longer than is necessary, to minimise storage costs and retrieval efficiency. If a decision is made to retain records longer than the minimum retention period a record of the reasons for the decision should be documented to assist disposal at a later date.
Records are usually destroyed when they have reached the end of a specified retention period. However, prior to their destruction, you must ensure that the records are no longer required. Therefore timely destruction must be balanced by senior management.
The destruction of all records must be documented, so that your business unit is able to ascertain whether a record has been destroyed. Proof of destruction may be required in investigation proceedings or in response to access requests.
Recordkeeping systems and any other documentation should note which
retention schedule authorises the destruction of the records. The specific schedule number should be documented along with the date of destruction. You may also wish to keep a destruction register that would link individual records to be destroyed to consignments sent for
destruction. This register, together with a certificate of destruction, will serve as proof that records have actually been destroyed.
The certificate of destruction should be placed on a file together with any other destruction documentation, for example, records of internal approval. A record of the method of destruction should also be placed on the file if this is not already noted on the certificate of destruction. Back to top
Methods of destruction
There are a number of different methods of destruction appropriate for the different media on which the records are stored. These methods have been outlined below. Paper records
The security provided by
the shredding of records
depends on how finely the
paper is shredded. Cross
shredding may be needed
for particularly sensitive
documents. Shredded paper
may be pulped and recycled,
or may be used for
insulation or other purposes.
Pulped paper is reduced to
its constituent fibres. If
carried out correctly, it is a
very secure method of
destruction. Pulped paper is
Records should only be
burnt if there is no
method of destruction
available, such as in a field
Records should be burned in
accordance with any
and local burning
restrictions. Densely packed
paper does not burn well, so
burning should be
undertaken in an industrial
facility (not in an
Important: Burying is not an appropriate method of destruction. The records are not destroyed immediately and may take months or even years to break down. Records that are buried may also be uncovered within hours or days of being buried.
Records stored on magnetic
media can be "bulk erased"
by subjecting them to a
strong magnetic field. For
secure destruction magnetic
media can be reformatted.
Backup copies of the
records also need to be
destroyed. The media can
then be reused. Note: just
deleting does not remove
data from magnetic media
and is therefore not
sufficient for the destruction
Records held on optical
media can be destroyed by
cutting, crushing, or other
physical means of
optical disks should also be
reformatted before being
disposed of or re-used.
Although other physical
means of destruction, such
as microwaving, can be
used, these are often only
useful for very small
quantities. Care should also
be taken with microwaving
due to fumes produced and
possible harm to the
microwave oven if ‘over-
Hard drives of personal
computers and servers
should be reformatted
before computers are
Important: Do not just delete files from electronic media such as floppy
disks, rewritable optical disks and
hard disks, as the information can be recovered. Be sure to reformat. Non-electronic and non-paper media
Videos, cinematographic film and microforms (microfilm/ fiche/ aperture cards/ x-rays) can be destroyed by shredding, cutting, crushing or chemical recycling.
Back to top
Using a contractor to destroy records
Contractors can be engaged to destroy records. However, it is the responsibility of the business unit to ensure that destruction occurs in accordance with the approved methods of destruction. Make sure you know what method of
destruction your contractor is using. Transport of records
The contractor can collect records from your office for destruction, or you can deliver the records to them. A closed truck should be used whenever possible.
However, if there is no alternative and the contractor can only provide an open truck, ensure that the load is secured by a cover. Sensitive and confidential records should only be conveyed in a closed and lockable vehicle.
Always insist on a certificate of destruction. If records that were supposed to be destroyed are subsequently found, the certificate is evidence that the contractor was at fault, not your business unit. It is important to request that the certificate of destruction includes the method used. Back to top
Destroying sensitive information
There are different types of sensitive information to be aware of. Particular care must be taken in handling and destroying sensitive information.
Some business units collect a great deal of information about individuals, and much of this information is quite sensitive, for example investigation, health or welfare records. Even records relating to the licensing of drivers, professions, trades, and commercial activities may contain personal information that could be
sensitive. All personal information must be managed in accordance with the
requirements of the United Nations
Information Security Principles.
Personnel files are a prime example of records containing personal information that have strict access and security restrictions while the records are active. This level of security should be maintained throughout the entire life of these records including during the destruction process.
Financial or commercially
Records may contain information of a commercially sensitive nature. Examples include files containing information on a business unit’s financial position, tender bids, and any information that may give an unfair financial advantage to another. Information given in confidence
Records may contain information that is given on condition that the information is not released. Examples include personal information and financial information, information given by government agencies (foreign governments, interstate/federal bodies) and information from any source where the provider specifies that it is given in confidence.
Information relating to an
Records relating to an investigation, usually into malpractice or criminal activity, may contain sensitive information. With such records, it is important to ensure that sensitive information is not released through inadequate or
inappropriate destruction techniques. Information posting a security risk
Records may contain information dealing with high security risk activities and premises. Examples of such records are plans of buildings, security plans, procedures for the delivery of large amounts of money, and security
arrangements for movements of VIPs and others.
Back to top
Appendix A: Checklist for records destruction
The records are authorised for destruction under a relevant and current
records retention schedule
The organisation no longer requires the records
The records are not the subject of a current or pending investigation or access request
Internal authorisation has been obtained
The records have no special security requirements
The records have high security level and locked containers and/or in-house
shredding are required for security destruction
Appropriate service provider contacted
A covered van or truck specified for records removal
Service provider asked to supply certificate of destruction
Specified that records are to be destroyed on day of collection
Certificate received by your business unit
Records destroyed and details of destruction documented in your records