LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Condense Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Content-Type:	text/plain; charset=UTF-8
Sender:	Records Management Program <[log in to unmask]>
Subject:	Re: Cert of Destruction
From:	Larry Medina <[log in to unmask]>
Date:	Tue, 11 Nov 2014 13:24:04 -0800
In-Reply-To:	<[log in to unmask]>
MIME-Version:	1.0
Reply-To:	Records Management Program <[log in to unmask]>
Parts/Attachments:	text/plain (63 lines)

On Tue, Nov 11, 2014 at 12:45 PM, Callen, Jeanne M <[log in to unmask]>
wrote:

> We recently began utilizing an outside agency for our shredding.  We are
> in the process of preparing for compliance with ISO 27001 and are currently
> implementing Clean Desk and Information Identification.  To be compliant
> with the standard, all information identified as Internal Use Only,
> Confidential or Restricted now must be shredded.  We (Records Mgmt) provide
> a shredding service but this volume is too much for us to handle.  So,
> we've placed shred bins throughout the company for everyone's "every day"
> type of information - not their records.  Records will still be
> purged/managed through Records Management according to record retention
> schedules.  The shred bins are just for non-records.
>
> The shredding company empties the bins every two weeks and provides us
> with a certificate of destruction - my question is - do the certificates of
> destruction really provide any value in this case?  They don't specify what
> is shredded - only the date that the bins were emptied.  There's no telling
> what people are putting in the bins - and they are all over the company.
> From a record-keeping point of view - I'm trying to determine how long to
> keep these certificates - if at all - and what value they provide.  The
> vendor invoices are retained  for five years, maybe we should just store
> these destruction notices with the invoices?
>
> Again, our annual records purge will be handled differently and I will
> retain that certificate with the purge documents we obtain from each
> business unit.
>
> I think I'm thinking too hard on this - can anyone offer any suggestions?
>
>
I think the key here is your comment

"The shred bins are just for non-records."

However, where it gets problematic is

"There's no telling what people are putting in the bins - and they are all
over the company"

So, *IF* people are potentially putting records in these bins, or
non-records that are

"information identified as Internal Use Only, Confidential or Restricted "

You have identified a possible "compliance gap".  The only way to avoid it
is to audit a sample of the contents of the bins to verify no one is
putting items in there that you are REQUIRED TO SHRED to remain in
compliance, then educate people afterwards.

-- 
Larry
[log in to unmask]



*----Lawrence J. MedinaDanville, CARIM Professional since 1972*

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US