The University of Essex recognises the importance of destroying all records effectively in order to ensure compliance with its various legal obligations and to protect the security of the information in its possession. This policy covers manual records managed in all parts of the University. Its fundamental aim is to ensure a rigorous and consistent approach to the secure destruction and disposal of such records.
The policy recognises the difficulty in determining the level of confidentiality for any specific record. The established definitions of "confidential” and "highly confidential” material contained in the policy may not fit all or every record in need of destruction. The policy is designed to provide a framework within which those involved in controlling destruction of records can operate. Individuals are able to use limited discretion when making the final decision on which category a particular record should fall into.
The effective destruction of records is an important part of the University’s approach towards protecting the security of the information in its possession. In particular, there are two specific legal obligations that require effective adherence to this policy:
The provisions and principles of the UK General Data Protection Regulations (UK GDPR) and Data Protection Act 2018 require the University to ensure that any record containing personal data, such as an individual’s name, address, or information relating to personal health, or financial or legal matters, is managed in a way that prevents the inadvertent disclosure or loss of information. In effect, this requires the University to destroy personal data under secure and confidential conditions.
The provisions of the Freedom of Information Act 2000 require effective destruction of a record at the end of its lifecycle in accordance with the established record retention schedule, to be able to guarantee that responses to requests for information made under the Act are lawful.
It is the individual responsibility of all staff to ensure information they are handling is destroyed effectively, securely and in accordance with this policy. Manual records that have reached the end of their lifecycle, either in accordance with the relevant Records Retention Schedule or as usual paper waste, are divided into the following four categories, and are destroyed in accordance with the instructions relating to each category.
For non-confidential records and/or data, and those containing no personal information, communal corridor bins are provided for recycling purposes. Communal corridor recycling bins are black with a green lid and labelled as ‘dry mixed recycling’. These are emptied daily by the Soft FM Services team and all material is treated as recycling – it will not be shredded; any confidential waste should be disposed of as below.
A record containing basic personal data, such as name, address, contact details, date of birth or any record containing the data described below is treated as highly confidential material and should be placed in the confidential waste console which will be collected by a secure data destruction service on a scheduled service visit. Waste Transfer Notes and Certificates of Destruction are available to download from the online portal for audit trail purposes.
The UK General Data Protection Regulations (UK GDPR) and Data Protection Act 2018 imposes on us a legal obligation to destroy confidential material responsibly, and under secure conditions. Use of standalone shredders, rather than the University’s service, cannot guarantee destruction or disposal to the security level (appropriate to the sensitivity of the material) necessary to comply with our obligations
Information already available in the public domain, for example via the University website, such as decisions recorded in Senate, Council, or Committee minutes, is not normally considered to be confidential material. For records containing such information, destruction via the corridor recycling bins is adequate.
In accordance with the University’s standard records management practice, the policy is reviewed every three years to ensure it meets effectively the University’s operational and legal requirements.