Subject: | |
From: | |
Reply To: | |
Date: | Tue, 11 Nov 2014 13:24:04 -0800 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On Tue, Nov 11, 2014 at 12:45 PM, Callen, Jeanne M <[log in to unmask]>
wrote:
> We recently began utilizing an outside agency for our shredding. We are
> in the process of preparing for compliance with ISO 27001 and are currently
> implementing Clean Desk and Information Identification. To be compliant
> with the standard, all information identified as Internal Use Only,
> Confidential or Restricted now must be shredded. We (Records Mgmt) provide
> a shredding service but this volume is too much for us to handle. So,
> we've placed shred bins throughout the company for everyone's "every day"
> type of information - not their records. Records will still be
> purged/managed through Records Management according to record retention
> schedules. The shred bins are just for non-records.
>
> The shredding company empties the bins every two weeks and provides us
> with a certificate of destruction - my question is - do the certificates of
> destruction really provide any value in this case? They don't specify what
> is shredded - only the date that the bins were emptied. There's no telling
> what people are putting in the bins - and they are all over the company.
> From a record-keeping point of view - I'm trying to determine how long to
> keep these certificates - if at all - and what value they provide. The
> vendor invoices are retained for five years, maybe we should just store
> these destruction notices with the invoices?
>
> Again, our annual records purge will be handled differently and I will
> retain that certificate with the purge documents we obtain from each
> business unit.
>
> I think I'm thinking too hard on this - can anyone offer any suggestions?
>
>
I think the key here is your comment
"The shred bins are just for non-records."
However, where it gets problematic is
"There's no telling what people are putting in the bins - and they are all
over the company"
So, *IF* people are potentially putting records in these bins, or
non-records that are
"information identified as Internal Use Only, Confidential or Restricted "
You have identified a possible "compliance gap". The only way to avoid it
is to audit a sample of the contents of the bins to verify no one is
putting items in there that you are REQUIRED TO SHRED to remain in
compliance, then educate people afterwards.
--
Larry
[log in to unmask]
*----Lawrence J. MedinaDanville, CARIM Professional since 1972*
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]
|
|
|