Advice on Contracts for Secure Disposal of Personal Data


It is important that when there is no longer a valid reason to keep personal data (when the data is outside of the retention period you have set) that it is disposed of securely. Potentially, you might have to get rid of 3 types of data: 1. Paper documents 2. Digital files 3. Electronic hardware (i.e. a computer hard drive)

Paper records

At the end of their lifespan, confidential paper records should be shredded and disposed of securely. You can do this in-house or can hire a contractor. If you hire a contractor to do this, you must have a written contract with this organisation and they must provide you with certificates of destruction for the information they have taken away. Your According to the British Security Industry Association (BSIA), contractors should meet Information Destruction standard EN 15713:2009. There is guidance on how to check that a company meets this on the BSIA website:

Digital Files

It is just as important to get rid of electronic records as it is paper records. Make sure that you do not miss these when doing your records audits.

Electronic Hardware

Unfortunately, removing confidential information from a computer or other electronic storage device is not as easy as throwing it away. We recommend using a contractor or your IT supplier to dispose of this equipment for you. As above, ensure that you have a written contract in place and that you receive a certificate of destruction.

Back to Resources