On this page
- Scope and Summary of process
- Disposal and destruction
- Legal requirements under the State Records Act
- Principles of destruction
- Methods of destruction
- Appendix A: Checklist for records destruction
- Appendix B: Sample questions to ask if using a contractor for the destruction of hardcopy records
Scope
These guidelines provide practical advice on the physical destruction of hardcopy and digital records.
Summary of process
When undertaking the destruction of records, it is necessary to ensure that:
- the records are no longer required for the business of the organisation (i.e. confirm they are not needed by business units for ongoing use)
- the records are not needed for legal proceedings, access applications (such as applications made under the Government Information (Public Access) Act 2009 or the Privacy and Personal Information Protection Act 1998), or other inquiries
- destruction is permitted or approved in line with the requirements of the State Records Act 1998
- records are no longer required to be retained to meet any other statutory and regulatory retention requirements
- documentation exists identifying which records have been destroyed, when, how, and under what authority
- the records have been destroyed appropriately.
Appendix A of this guideline (see below) contains a checklist for best practice records destruction.
Disposal and destruction
Disposal and destruction are terms often used interchangeably, but disposal does not only mean destruction. Disposal involves a range of processes, such as transferring ownership of a record, destroying or deleting it, or transferring it to the State Archives Collection. Destruction refers to the complete and irreversible physical erasure of the record, ensuring it cannot be reconstructed or retrieved.
The fact that a State record is authorised for destruction does not permit it to be sold or transferred to private ownership.
Legal requirements under the State Records Act
The disposal of State records is governed by the State Records Act. Legal disposal can occur through various methods:
- with permission from State Records NSW through general or functional retention and disposal authorities
- under provisions of specific legislation allowing destruction of certain records
- in accordance with ‘normal administrative practice’ (NAP), allowing for routine destruction of certain records
- by order of a court or tribunal.
Section 21 of the State Records Act imposes a penalty for the illegal disposal of State records. All public offices must account for their decisions to destroy records. If unsure about approval for destruction, contact State Records NSW.
Principles of destruction
Records destruction should be authorised, appropriate, timely, documented, secure and confidential. See appendix A for checklist for records desctruction.
Authorised
- Destruction must be formally authorised through a retention and disposal authority issued by State Records NSW. Retention and disposal authorities are the legal instruments whereby records may be destroyed once the mandatory minimum retention period is met and the record is not identified as a State archive.
- Internal authorisation or approval for destruction of records is given. Ensure that your organisation has no further business or legal needs for the records.
- Implementation: Provide the manager of the business unit that created or controls the records with lists of the proposed records for destruction and have them to confirm that the records are no longer required for legal, administrative, audit or financial reasons.
- Implementation: Once all requirements for the disposal of records have been met, an appropriate officer in your organisation should give the final internal approval for the destruction of records. Each organisation should ensure that an officer is formally delegated with responsibility for this process and that this delegation is documented.
- Records required for current or pending legal action, court cases, or pending access requests (such as a GIPA or privacy request) must not be destroyed.
Note: If a retention and disposal authority class was applied to the record (commonly referred to as 'sentencing’) and a period of time has elapsed since then, the record has been updated since being sentenced, or circumstances have changed, the public office should ensure that the retention period which has been applied to the record is accurate and the record does not need to be kept for a long retention period.
Irreversible destruction
- Destruction must be irreversible, ensuring records cannot be reconstructed or retrieved. Failure to ensure the total destruction of records may lead to the unauthorised release of information, bad publicity and potential breaches of the Privacy and Personal Information Protection Act 1998.
- Digital media must be properly sanitised to prevent data recovery.
- Implementation: Simply pressing 'delete' does not necessarily mean that the records are completely gone. The deletion of a file or the reformat of a hard drive may not always be adequate. Ensure that the records have been properly ‘sanitised’ to implement correct digital records destruction.
- Destruction should be environmentally friendly, such as recycling paper or microforms where possible.
Note: Where records that are severely damaged by fire, flood, mould, neglect etc. or for digital records that are unreadable or inaccessible, contact State Records NSW immediately when identified.
Secure and confidential destruction
- Destruction should maintain the level of security the records had during their lifecycle.
- Implementation: For hardcopy records, lockable 'wheelie' bins should be used, and records should be transported in totally enclosed and lockable vehicles (to prevent records falling off or being taken from the back of trucks).
- Section 12 of the Privacy and Personal Information ProtectionAct 1998 states that a public sector agency must dispose of sensitive personal information securely to ensure the information is safeguarded against loss, unauthorised access, use or disclosure. This information includes personal information, financial or commercially sensitive information, information given in confidence, information relating to an investigation, and information posing a security risk.
- Implementation: Some sensitive or personal records may require two officers to supervise the removal of the material to the point of destruction, ensure the destruction is complete, and sign a destruction certificate.
- Implmentation: Sensitive records may also be shredded 'in-house' before being sent for pulping. The decision to shred records should be incorporated into the organisation's disposal authorisation processes
- If destruction is contracted out, ensure the process is supervised to maintain confidentiality.
Timely destruction
- Records should be destroyed promptly after their retention period ends, reducing storage costs, retrieval time and minimises the risks of unauthorised destruction of records.
- Implementation: Prior to any record destruction, you must ensure that the records are no longer required and that there is confirmation from the organisation that the records can be disposed of. If a decision is made to retain records longer than the mandatory minimum retention period, then the reasons for the decision should be documented to assist disposal at a later date.
- The Premier's Circular C2024-02 Managing Records in NSW Government requires all public offices to apply “the decisions set out in the [retention and disposal] authorities to records, ensuring that records are destroyed promptly and securely when their retention period has ended, and transferring those records identified as State archives to the State Archives Collection.”
Contractor destruction
- Under the contract for the provision of Waste Management Services, all NSW Government departments, agencies, public health organisations and local government can procure secure records destruction services as part of their waste management procurement. Further details of the Waste Management Contract are available from buy nsw website.
- Contractors can be engaged to destroy records. However, it is the responsibility of the public office to ensure that destruction occurs in accordance with the approved methods of destruction.
- Implementation: make sure you know what method of destruction your contractor is using. Appendix B (see below) contains a list of sample questions to ask a contractor.
- The contractor can collect records from your office for destruction, or you can deliver the records to them. A closed truck should be used whenever possible.
- Implementation: If the contractor can only provide an open truck, ensure that the load is secured by a cover. Sensitive and confidential records should only be conveyed in a closed and lockable vehicle.
- The contractor must supply you with a certificate of destruction and should include the method of destruction used.
- Implementation: The certificate is evidence that the contractor was at fault if records that were supposed to be destroyed are found.
Documenting the destruction of records
- Destruction must be documented as proof may be needed in legal proceedings or in response to access requests.
- Implementation: Proof of destruction records should contain at minimum: the date of the destruction, identification of who/what undertook the destruction, the title and dates of the individual records, an authorisation reference for the destruction against each record (e.g. FA234 2.4.5; GA28 1.2.3; By court order; NAP etc.).
- A destruction register and certificate of destruction are essential for providing proof of destruction. These documents should be captured in a recordkeeping system for future reference.
- Implementation: A record of the method of destruction should also be documented if this is not already noted on the certificate of destruction.
Methods of Destruction
There are various methods for securely destroying records, which depend on the type of media on which the records are stored.
Paper records
- Shredding: The level of security provided by shredding depends on the size of the paper particles. For highly sensitive documents, cross-shredding using a two-axis shredder may be necessary. Shredded paper can either be pulped for recycling or repurposed for other uses, such as insulation.
- Pulping: Pulping breaks paper down into its constituent fibers. When done correctly, it is a very secure method of destruction and is usually followed by recycling.
- Burning: Burning should only be used as a last resort if no other environmentally friendly destruction method is available. Densely packed paper does not burn well, so this only should be done in an industrial facility.
- Burying: Burying records is not recommended, as they may take months or even years to break down and can be uncovered which can result in the breach of the State Records Act.
Digital records
The destruction of digital records is governed by the information contained on the media, not the media itself. The process of erasing or overwriting data is referred to as sanitisation. The extent of sanitisation depends on the sensitivity classification of the record and a risk analysis should be undertaken to determine this sensitivity level.
For further information on the classification and labelling of information, and what level of sanitisation is required, see the NSW Government Information Classification and Labelling Guidelines.
Sanitisation methods
- Clear/Overwrite: This method ensures that records cannot be retrieved by a keyboard attack. It involves overwriting the data to prevent retrieval through file recovery utilities.
- Purge: Purging prevents data from being recoverable through laboratory attacks. It involves randomising the data so it is no longer readable. Some media may be sufficiently purged by overwriting.
- Degaussing: This involves exposing magnetic media to a strong magnetic field to disrupt the recorded data, rendering it unreadable.
- Destruction: Destruction is the most extreme sanitisation method, physically altering the media to ensure it can never be reused. Methods include shredding, disintegration, incineration, pulverisation, and melting.
Note: Simple deletion is not the same as clearing as it is usually only removing the link within the system rather than removing the record. For media to be cleared the record must not be able to be retrieved through disk or file recovery utilities.
Special media formats
Some media, due to its nature, requires mechanical destruction, such as:
- Microfiche, microfilm, optical disks (CDs, DVDs)
- Programmable read-only memory (EPROM, EEPROM)
- Videos, cinematographic film, and x-rays
These can be destroyed by shredding, cutting, crushing, or chemical recycling.
Sensitive Information
Extra care must be taken when handling and destroying records containing sensitive information, such as:
- Personal information: Records containing personal information, such as health or welfare records, must be destroyed securely under the Privacy and Personal Information Act 1998.
- Financial or commercially sensitive information: This includes sensitive business data, such as financial records, tender bids, or anything that could provide an unfair advantage to others.
- Information given in confidence: Sensitive information provided under confidentiality agreements must be destroyed securely to prevent unauthorised release.
- Investigative information records related to investigations into criminal or malpractice activities must be destroyed with the highest level of security.
- Security-risk information: Records dealing with high-security topics, such as building plans for correctional institutions or bank security protocols, must be handled with extra care during destruction.