Introduction about handling and disposing of physical personal data

The “Physical” in physical personal data refers mainly to paper, but also includes other read-only storage media like CDs and DVDs.  “Personal Data” is defined in the PDPA as “data, whether true or not, about an individual who can be identified a) from that data; or b) from that data and other information to which the organisation has or is likely to have access.”

To comply with the PDPA, organisations need to put in place:

1. Documented policies and corresponding processes and procedures to protect personal data and may involve external parties which are given access to personal data or copies of the personal data; and
2. Schedules setting out how long personal data/records are kept (i.e. defining respective retention limitations).

Measures adopted by each organisation have to be reasonable and appropriate as each organisation is different.  Some factors that need to be taken into account when deciding on the type of measures to adopt, include:

1. Types of personal data held;
2. Risks, impact and potential damage to individuals should such personal data be accessed by unauthorised persons; and
3. Form of the personal data (i.e. physical or electronic).

Personal data protection is implemented most commonly via preventative security controls, such as:

1. Physical controls, which limit the physical access to personal data;
2. Procedural/administrative controls, which consist of policies and procedures regulating the use of personal data; and
3. Technical controls, which are technological countermeasures.

When in doubt how to proceed, organisations should always seek professional advice.  Please feel free to contact P2D Solutions for your FREE consultation.

Dispose All Copies

Even though copies of personal data in paper form are less easy to distribute than their electronic counterparts, disposal of each and every copy of the document needs to be considered.

Incomplete disposal violates the PDPA’s protection obligation and can lead to data breaches, such as:

1. Deleted electronic files or improperly shredded paper may be restored (in full or partially); and
2. Uncontrolled disposal of paper without destruction may lead to recovery of documents through ‘dumpster diving’ (e.g. sifting through physical waste or recycling containers for items that have been discarded, but are still of value or covered by regulation).

For personal data stored on physical documents and in paper form, proper disposal or destruction usually refers to one or more of the following processes:

1. Shredding: cuts paper in a way that makes it reasonably difficult, or even impossible, to reassemble the pieces in order to reconstruct (a substantial part of) the information, but allows for the paper to be recycled as long as the pieces are not too small; or
2. Incineration (or burning): reduces paper to ashes; or
3. Pulping: paper is mixed with water and chemicals to break down the paper fibres before it is processed into recycled paper.

Shredding

Shredding is the most commonly used method as it is considered a fast, safe, and cost-effective.  It is also considered sufficiently secure for a wide range of documents.  Most disposal methods can be carried out in-house by the organisation itself or by an external third party service provider. For paper copies of personal data, it is recommended the use of at least a level P-3 cross cut shredder, which shreds paper into particle size of maximum 320mm².

When outsourcing, it is important to note that the organisation must ensure that the external processing is still in compliance with the protection obligation under the PDPA and this must be considered when putting in place any outsourcing arrangements.

Do not leave personal data unattended while they are awaiting disposal or tear documents into halves or quarters and just drop them into the dust bin.  Do not reuse paper documents that are scheduled for shredding as this can increase the risk of personal data on such documents being compromised.

Typical Disposal Mistakes and Issues

During disposal, it is a common mistake to neglect personal data where:

1. It is only part of a whole data set (e.g. just the first page of a completed form);
2. There are mistakes in some fields (therefore data is deemed inaccurate); or
3. It contains printing errors (e.g. letter to customer printed with errors in the title or date).

Also, after an organisation decides to dispose of paper documents, they are often perceived as ‘valueless’ and ‘unimportant’.  This can lead to unsecured treatment or storage of documents, which increase the risk of misuse/misappropriation.

Some problems involving paper containing personal data include:

1. Paper recycling is encouraged by organisations and paper meant for shredding is recycled before destruction;
2. Staff not trained or aware about protecting personal data even when it is obsolete;
3. Not checking on the reverse page of waste/recycled paper for personal data which is then discarded or left unattended;
4. Containers for confidential documents not differentiated from common collection containers, e.g. for recycling;
5. Confidential documents are left in an unsecured area.

Unauthorised access can take place especially when:

1. Documents intended for shredding are stored in the same place as documents meant for plain recycling; and
2. Documents are not protected between their release for disposal and their actual destruction, and may become targets for dumpster diving or theft.

There are also common problems around the shredders themselves, such as:

1. No easy access to the shredder, or use of shredder causes noise issues for nearby staff;
2. Shredder wastebaskets not regularly cleared;
3. Inadequate use of shredders, leading to frequent breakdowns;
4. Shredders are slow, requiring users to spend significant time to shred.

Best Practices

The following best practices should be implemented when it comes to paper disposal:

1. When in doubt, shred the document; and
2. Encourage staff to regularly shred paper documents containing personal data. The shredded paper can still be sent for recycling later.

A checklist of good practices is listed below for your easy reference.

Outsourced or Third Party Service Providers

As mentioned earlier, even when disposal of paper documents is outsourced, accountability and responsibility to ensure that the personal data on such paper documents are destroyed remains with the organisation.  Therefore, organisation should ensure that contracts with third party service providers contain the necessary terms and conditions to comply with the obligations under the PDPA, specifically the Protection, Retention and Transfer Limitation Obligations.

Summary of points to consider when outsourcing the disposal of physical media includes:

1. Service provider’s overall processes and protection during transport, storage, and actual destruction;
2. Assess whether containers and facility have physical security in place and policies for accident and incident reporting are in place;
3. Keep records and /or any certification of collection and destruction confirmation. Any certification;
4. Collection (or handover) of waste items should be supervised and documented;
5. Intermediate storage locations should be secured;
6. An officer of an appropriate level should witness the actual destruction, or even follow the third party’s disposal vehicle, especially when sensitive personal data is involved.

---

Sample Checklist of Good Practices

S/No.	Description	Implemented?
1.	If your organisation recycles used paper, are staff reminded to check whether there is personal data left on the recycled paper?
2.	Does your staff check if wastepaper (e.g. extra copies, wrong copies, unused copies) contains personal data and how to dispose of them properly?
3.	Do your staff check that there are no confidential documents or documents containing personal data before leaving wastepaper outside unattended?
4.	Is the shredding machine regularly cleared and serviced?
5.	Has your organisation nominated a data protection officer?
6.	Does your organisation have disposal policies in place?
7.	Does your organisation have retention policies in place?
8.	If your organisation has outsourced its document disposal, was there a review on how the third party disposes of the paper and if their practices comply with the PDPA?