Information security

INF022

Destroying protectively-marked information securely

Use approved procedures for destroying ICT media and documents with protective markings.

These requirements apply to all official information (with or without security classifications)

Follow these requirements to ensure your agency complies with the Protective Security Requirements for information security.

Getting advice and setting policy

Your chief security officer (CSO) can seek advice from the NZSIS about approved methods for routine or emergency destruction of protectively-marked information.

Your agency should have a policy for destroying official information without protective markings — a policy that is in line with your security risk management plan.

You must not use rubbish or recycling services or systems to dispose of protected information unless it has already been through an NZSIS-approved destruction process such as shredding.

Waste, whether it is placed in a rubbish skip or other area for collection, or delivered directly to a waste disposal service, is extremely vulnerable.

Disposing of official records

Dispose of official records in line with the Public Records Act 2005. This usually means under the provisions of a disposal authority issued by Archives New Zealand. 

Contact Archives New Zealand for more information

Destruction methods

The following are the usual methods of destruction of protectively-marked information.

  • Pulping — transforming mass to a given size determined by a removable screen
  • Burning — burning in line with relevant environment protection restrictions
  • Pulverisation — using hammermills with rotating steel hammers to pulverise the material
  • Disintegration — using blades to cut and gradually reduce the waste particle to a given size determined by a removable screen
  • Shredding — using strip-shredders and crosscut shredders. Only crosscut shredders are NZSIS-approved for protectively-marked information.

For advice on equipment for destroying protected information, go to Retire information and assets securely.

Using the shredding method

When the destruction method is shredding, you must use the correct grade of shredder for the security classification on the information. 

And the shredder must be approved by the NZSIS.

  • TOP SECRET information — grade 5 crosscut shredder
  • Information with compartmented markings — grade 5 crosscut shredder
  • CONFIDENTIAL or SECRET — grade 4 crosscut shredder
  • Information up to and including RESTRICTED — grade 3 crosscut shredder.

Destroying microfiche and other photographic material

Protectively-marked microfiche and other photographic material must be destroyed using NZSIS-approved equipment or processes.  

Contracting out the destruction of hard-copy material

Base any decision on contracting out the destruction of protected material on sound risk management.

Here are some factors to consider.

  • How does the company transport information?
  • What are their procedures?
  • How secure are their containers?
  • How secure is their facility?
  • What equipment do they use?
  • What is the result of their destruction process? (For example, the resultant particle size of the destroyed material).

Remember that classified waste bags and bins are not security containers. Therefore, they must receive appropriate protection before they are collected. Classified waste bags and bins need to be stored according to the highest level of protectively-marked information they contain.

Getting approval to use a contractor

Before your agency enters into a contract for the destruction of paper-based information that is protectively marked CONFIDENTIAL or above, you must have the NZSIS’s approval. They will need to be satisfied that the contractor can safeguard the information throughout the destruction process.

Your agency should determine the processes you and the contractor will use to maintain an appropriate level of security throughout the pickup, transportation, and destruction of the waste.

Appropriate processes include:

  • the waste must not be left unattended at any time
  • the vehicle and storage areas must be appropriately secured
  • the destruction must be performed immediately after the material has arrived at the premises
  • agency representatives with the right level of security clearance must escort the waste and witness its destruction
  • the destruction company staff must have a security clearance to the highest level of the protectively-marked information being transported and destroyed.

Information marked TOP SECRET and ACCOUNTABLE MATERIAL must be destroyed within agency premises and only once the originating agency has been notified. The originators may also apply special conditions to the destruction of some protectively-marked information that might prevent contracting out destruction.

Destroying ICT media and equipment

ICT media and equipment must be destroyed in line with these two sections of the NZISM:

Contracting out the destruction of ICT media and equipment

For information on the sanitisation and destruction of electronic media and equipment, go to the following sections of the NZISM:

Transporting sensitive items for destruction

For information on securely transporting sensitive information or assets for destruction, go to:

Securely transporting sensitive items

 

 

Page last modified: 5/08/2019