Download October-December 2012 Issue (PDF) - Department of ...
Download October-December 2012 Issue (PDF) - Department of ...
Download October-December 2012 Issue (PDF) - Department of ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
“disposal methods are considered<br />
adequate if the records are rendered<br />
unrecognizaBle or Beyond<br />
reconstruction.”<br />
he department <strong>of</strong> the navy chief Information<br />
Officer (dOn cIO) Privacy Office receives<br />
frequent inquiries regarding paper shredding as<br />
a means <strong>of</strong> destroying unclassified documents<br />
containing personally identifiable information<br />
(PII). some commonly asked questions include:<br />
• which shredder should I purchase?<br />
• should I use a straight cut or cross cut shredder?<br />
• what are the dOn policy requirements?<br />
• How small is small enough with regard to shredder residue?<br />
• where can I find a list <strong>of</strong> approved shredders?<br />
• can I use a shredder service?<br />
Paragraph 8.b. (1) <strong>of</strong> secretary <strong>of</strong> the navy Instruction<br />
(secnAVInst) 5211.5e, department <strong>of</strong> the navy Privacy<br />
Program, states:<br />
“disposal methods are considered adequate if the records<br />
are rendered unrecognizable or beyond reconstruction<br />
(e.g., tearing, burning, melting, chemical decomposition,<br />
burying, pulping, pulverizing, shredding, or mutilation).”<br />
the key words are: “rendered unrecognizable or<br />
beyond reconstruction.”<br />
while there is no dOn policy specifying the type <strong>of</strong> shredder<br />
to use, it is highly recommended and considered a best practice<br />
to always use a cross cut shredder. there have been<br />
cases involving straight cut shredders where the resulting<br />
paper strips could be pieced together to reconstruct privacy<br />
sensitive information. In one case, the straight cut shredder<br />
residue corresponded to the actual rows <strong>of</strong> a spreadsheet.<br />
As a result, none <strong>of</strong> the PII had been destroyed.<br />
dOn policy does not address shredder residue size. As a best<br />
practice, refer to the national Institute <strong>of</strong> standards and technology<br />
(nIst) special Publication 800-88, “guidelines for media<br />
sanitization: recommendations <strong>of</strong> the national Institute <strong>of</strong> standards<br />
and technology,” issued september 2006, which states:<br />
“destroy paper using cross cut shredders which produce<br />
particles that are 1 x 5 millimeters in size (reference devices<br />
on the nsA paper shredder ePl), or to pulverize/disintegrate<br />
paper materials using disintegrator devices equipped with<br />
3/32-inch security screen (reference nsA disintegrator<br />
ePl.).”<br />
the national security Agency (nsA) evaluated Products lists<br />
(ePl) for shredders can be found at www.nsa.gov/ia/_files/<br />
government/mdg/nsA_css-ePl-02-01-Z.pdf.<br />
An alternative to purchasing a shredder is to contract<br />
with a general services Administration (gsA) approved<br />
shredder service. with increased public awareness regarding<br />
the threat <strong>of</strong> identity fraud, availability and use <strong>of</strong> shredder<br />
services continue to increase. benefits <strong>of</strong> using a shredder<br />
service include:<br />
• shredder services decrease labor hours and physical space<br />
disposal requirements;<br />
• mobile services allow documents to be shredded on-site<br />
or to be taken away to be destroyed;<br />
• certificates <strong>of</strong> destruction are issued to verify disposal;<br />
• bulk disposal is extremely efficient; and<br />
• gsA approved shredder services are considered secure<br />
and in compliance with dOn policy, and nIst and<br />
nsA guidelines.<br />
while shredding is arguably the safest means <strong>of</strong> disposal,<br />
the use <strong>of</strong> burn bags remains a viable option. regardless <strong>of</strong><br />
the method <strong>of</strong> destruction, the creation <strong>of</strong> documents containing<br />
sensitive personal information should be avoided or<br />
minimized to the greatest extent possible.<br />
remember, the choice <strong>of</strong> a shredder must make paper<br />
documents containing PII unrecognizable or beyond<br />
reconstruction. dOn policy does not specify specific particle<br />
size requirements, but a best practice states that particles<br />
should be 1 X 5 mm or smaller. Other disposal options are<br />
available and should be evaluated to determine what is best<br />
for the specific needs <strong>of</strong> your <strong>of</strong>fice.<br />
Visit the dOn cIO website at www.doncio.navy.mil and<br />
search “shredder” for information, tips and best practices. �<br />
steve muCk is the <strong>Department</strong> <strong>of</strong> the Navy privacy lead.<br />
steve Daughety provides privacy policy support to the<br />
<strong>Department</strong> <strong>of</strong> the Navy.<br />
WWW.DOnCIO.naVY.mIL/CHIPS 57