Destruction

There are multiple ways records can be legally destroyed:

• In accordance with the principle of Normal Administrative Practice (NAP). Records that can be destroyed under NAP include:
  • working documents of rough notes and calculations
  • drafts not intended for retention, whose content has been reproduced and incorporated in the agency’s recordkeeping system
  • additional copies of documents, emails and publications, maintained for reference

• Under a Retention and Disposal Authority (RDA). RDAs specify minimum retention periods for classes of records and authorise destruction of time-expired records.

• Under a specific authorisation to destroy records not covered by either of the above. This is in the form of a Single Instance Disposal Authority (SIDA). These are usually used for records of functions/activities no longer performed by an agency; or records inherited by an agency resulting from administrative or machinery of government (MoG) changes.

Destruction will minimise storage costs and administrative overheads, comply with privacy requirements, and reduce the risk associated with inappropriate information release.

Retention and Disposal Authorities (RDAs) are the legal instruments which provide disposal authorisation upon which a government agency can act. In addition, internal authorisation should be obtained prior to destruction to ensure the government agency has no further business or legal need for the records.

Agencies must also ensure that destruction does not breach any other legislative requirements. For instance, it is an offence under section 254 of the Crimes Act 1958 for a person to destroy a document that is, or is reasonably likely to be, required in evidence in a legal proceeding, with the intention of preventing it from being used as evidence.

Records that are subject to a current Freedom of Information (FOI) request, should not be destroyed until all avenues of appeal have been met.

Extra care should be given to records containing sensitive information, which can be categorised as:

• personal and private information (e.g. patient health records, employment records)
• financially or commercially sensitive information (e.g. tender documentation)
• criminal or civil investigations (e.g. fraud investigation records)
• information posing a security risk (e.g. security procedures).

See Office of the Victorian Information Commissioner (OVIC) for further information about privacy and security requirements.

Proof of destruction must be documented, regardless of the format of destruction. This is to ascertain and provide evidence as to whether destruction has taken place. For example, it may be:

• used in litigation proceedings
• provided in response to FOI requests
• supplied in response to a request from PROV.

A destruction register should be kept that links individual records to be destroyed with consignments sent for destruction. The destruction register should note:

• title and unique identifier of record
• relevant RDA and class
• date of destruction
• individual authorising destruction and their position in the agency.

A certificate of destruction should be generated when records are destroyed and placed on file with any other destruction documentation. It should note:

• description of records
• date of destruction
• method of destruction
• individual performing/supervising destruction.

The health and safety of the person/s undertaking destruction should not be compromised when records are being destroyed.

All records should be destroyed in an environmentally friendly manner. This includes recycling, where possible. Specialist advice can be sought from organisations such as the Environmental Protection Authority (EPA).

Agencies are recommended to seek advice from PROV if they need to destroy physical media that does not fall into one of the following categories:

• Magnetic media. Records on tape, floppy disks and other magnetic media can be bulk erased by subjecting them to a strong magnetic field. Degaussing units are available for this purpose. However, if magnetic media contains sensitive information, it should be physically destroyed by shredding, corrosion or melting. Deletion is insufficient as it does not remove data.
• Optical media. Records held on CDs, DVDs and other optical media should be physically destroyed by cutting or crushing.
• Film and microform. Cinematographic and microforms (including microfilm, microfiche, aperture cards and x-rays) can be destroyed by shredding, cutting, crushing or chemical recycling.
• Hard drives. Records on hard drives in personal computers, servers, mobile devices, and USB flash drives/external portable hard drives should be degaussed and reformatted when they are decommissioned and/or reused. Hard drives containing sensitive information may need to be physically destroyed (such as through shredding, corrosion or melting) once they have been decommissioned. See Office of the Victorian Information Commissioner (OVIC) for further information.

Business systems. Records in business systems should be destroyed using the functions of the system where possible, in order to maintain system integrity. Deletion is practical but only appropriate where the system is in active use. If the system is not in active use, or contains highly sensitive information, records should be overwritten rather than just deleted, to prevent them from being recovered. A record of destruction or audit log should be retained.

Electronic document and records management systems (EDRMS). An EDRMS should ensure that the destruction of a record includes all versions and renditions of that record. Where the same record appears in more than one file, the record and its renditions should be removed from the file. The record should be finally deleted once all occurrences of the record have been destroyed. Retention of record metadata will ensure the agency is aware of the records it has held and the dates they were destroyed or otherwise disposed of.

Back-up systems. If a record has been destroyed, copies held in back-up systems also need to be destroyed. If it is impractical to destroy specific records within the back-up system, then it is possible to wait until the back-up media has been recycled. However, back-up cycle times should be taken into consideration. If the cycle time is too long, records in the back-up system should be overwritten. The acceptable time period may be determined by conducting a risk assessment.

To ensure security, paper should be both shredded and pulped. Modern technology allows reconstruction of shredded paper. Pulping reduces shredded paper to its constituent fibres and is very secure if performed correctly. Pulped paper should be recycled.