Download October-December 2012 Issue (PDF) - Department of ...

“disposal methods are considered
adequate if the records are rendered
unrecognizaBle or Beyond
reconstruction.”
he department of the navy chief Information
Officer (dOn cIO) Privacy Office receives
frequent inquiries regarding paper shredding as
a means of destroying unclassified documents
containing personally identifiable information
(PII). some commonly asked questions include:
• which shredder should I purchase?
• should I use a straight cut or cross cut shredder?
• what are the dOn policy requirements?
• How small is small enough with regard to shredder residue?
• where can I find a list of approved shredders?
• can I use a shredder service?
Paragraph 8.b. (1) of secretary of the navy Instruction
(secnAVInst) 5211.5e, department of the navy Privacy
Program, states:
“disposal methods are considered adequate if the records
are rendered unrecognizable or beyond reconstruction
(e.g., tearing, burning, melting, chemical decomposition,
burying, pulping, pulverizing, shredding, or mutilation).”
the key words are: “rendered unrecognizable or
beyond reconstruction.”
while there is no dOn policy specifying the type of shredder
to use, it is highly recommended and considered a best practice
to always use a cross cut shredder. there have been
cases involving straight cut shredders where the resulting
paper strips could be pieced together to reconstruct privacy
sensitive information. In one case, the straight cut shredder
residue corresponded to the actual rows of a spreadsheet.
As a result, none of the PII had been destroyed.
dOn policy does not address shredder residue size. As a best
practice, refer to the national Institute of standards and technology
(nIst) special Publication 800-88, “guidelines for media
sanitization: recommendations of the national Institute of standards
and technology,” issued september 2006, which states:
“destroy paper using cross cut shredders which produce
particles that are 1 x 5 millimeters in size (reference devices
on the nsA paper shredder ePl), or to pulverize/disintegrate
paper materials using disintegrator devices equipped with
3/32-inch security screen (reference nsA disintegrator
ePl.).”
the national security Agency (nsA) evaluated Products lists
(ePl) for shredders can be found at www.nsa.gov/ia/_files/
government/mdg/nsA_css-ePl-02-01-Z.pdf.
An alternative to purchasing a shredder is to contract
with a general services Administration (gsA) approved
shredder service. with increased public awareness regarding
the threat of identity fraud, availability and use of shredder
services continue to increase. benefits of using a shredder
service include:
• shredder services decrease labor hours and physical space
disposal requirements;
• mobile services allow documents to be shredded on-site
or to be taken away to be destroyed;
• certificates of destruction are issued to verify disposal;
• bulk disposal is extremely efficient; and
• gsA approved shredder services are considered secure
and in compliance with dOn policy, and nIst and
nsA guidelines.
while shredding is arguably the safest means of disposal,
the use of burn bags remains a viable option. regardless of
the method of destruction, the creation of documents containing
sensitive personal information should be avoided or
minimized to the greatest extent possible.
remember, the choice of a shredder must make paper
documents containing PII unrecognizable or beyond
reconstruction. dOn policy does not specify specific particle
size requirements, but a best practice states that particles
should be 1 X 5 mm or smaller. Other disposal options are
available and should be evaluated to determine what is best
for the specific needs of your office.
Visit the dOn cIO website at www.doncio.navy.mil and
search “shredder” for information, tips and best practices. �
steve muCk is the Department of the Navy privacy lead.
steve Daughety provides privacy policy support to the
Department of the Navy.
WWW.DOnCIO.naVY.mIL/CHIPS 57