On-site data media destruction according to BDSG

Selection of appropriate procedures for the deletion or destruction of data

To ensure the confidentiality of information requiring protection, this information must be destroyed or deleted after use in such a way that reconstruction of the information can be ruled out with a high degree of probability.

For secure deletion or destruction, suitable procedures must be available on the one hand, and suitable devices, applications or services on the other.

There are various methods to delete or destroy information on data carriers. For a brief discussion, seeM 2.433 Overview of Methods for Deleting and Destroying Data.. The most important recommendations for erasing and destroying currently used data media are briefly outlined here.

Recommendation for deleting data carriers:

The simple delete commands of the respective operating systems and also the formatting of the corresponding data media are not sufficient to securely delete data stored there. Therefore, physical measures such as mechanical, thermal or magnetic treatment of the corresponding data carrier or targeted overwriting of the data carrier once or several times should be selected for secure erasure. For overwriting, the use of random data patterns is recommended. For data carriers that are to be reused in the same secured area, the effort required for erasure can be set lower than for data carriers that leave the area of application and are sold, for example. The following is an overview of methods for erasing common media:

• Paper documents:
  No reliable method available.

• Microfilm, microfiche:
  No reliable method available.

• Hard disks (with magnetic media), magnetic tape cartridges, floppy disks:
  Overwriting the entire disk with a random number pattern and verification.

• Hard disks with solid-state storage (SSD / hybrid):
  No reliable method is currently available for higher protection requirements. It is recommended to encrypt the data medium completely from the beginning of use. Before disposal, it should be overwritten as mentioned above.

• Optical media (CD, DVD):
  Rewritable media, such as CD-RW or DVD-RW, can be erased by overwriting with any data during normal protection requirements.

• Volatile semiconductor memories (SRAM, DRAM):
  To delete, the power supply should be switched off. If present, the backup battery must be removed beforehand.
  If the need for protection is very high, the memory must be overwritten once with any data beforehand.

• Non-volatile semiconductor memory (EPROM, EEPROM, Flash EPROM) USB stick, flash card, flash disk, PCMCIA cards:
  In the case of high protection requirements, the entire memory area must be overwritten three times using suitable software.

• Smart cards:
  No reliable method available.

• Multifunction devices (copiers, etc.) with hard drives:
  Overwrite: For normal protection needs, the information should be deleted from the cache via a delete function after printing. In case of high protection requirements, the hard disk must be overwritten with suitable software after each printout.
  M 2.400 must be observed when handing over or discarding a device.

The use of the following methods as deletion procedures is not recommended, as they are not reliable and data can be reconstructed:

• Deletion commands

• Overwriting individual files

• High-level formatting

• Low-level formatting

Recommendations for the destruction of data carriers:

In the DIN 66399:2012 standard “Destruction of data media”, Part 1, a protection class is assigned to the protection requirement. The security levels to be applied for the various data carriers are then derived from the protection class. Protection class 2 is appropriate for normal protection needs. Suitable destruction methods and particle sizes for the respective protection classes can be found in DIN 66399 Part 2.

Reliable service providers can also be used for the destruction of data media (see M 2.436).

• Paper documents:
  Paper documents should be shredded using paper shredders. For normal protection requirements, document shredders of security level P-3 according to DIN 66399 should be used; for higher protection requirements, shredders of security level P-4, P-5 or P-6 should be used (see also M 2.435).

• Microfilm, microfiche:
  For mechanical shredding, level F-4 according to DIN 66399 is recommended, but only a few suitable devices are still available. Therefore, these data carriers should be burned. The temperature must be above 300° C, and the dwell time must be at least 60 minutes.
• Hard disks:
  Hard disks can be shredded mechanically with a shredder. For high protection requirements, at least security level H-5 according to DIN 66399 must be used. The use of security level DIN 66399 H-6 should be considered for hard disks with high capacity or high data densities. For normal protection requirements, particle sizes according to DIN 66399, level H-4, up to 2000 square millimeters are quite acceptable. For mechanically small drives, the use of higher security levels is necessary. Hard drives can also be thermally destroyed; to do this, the hard drive must be heated to over 1,000° C for at least 15 minutes.

• Magnetic tapes, magnetic tape cartridges:
  Magnetic tapes should be shredded with equipment that meets the requirements of DIN 66399, level T-3. For higher protection requirements, the particle size should not exceed 30 square millimeters (level T-5).

• Floppy disks, optical data carriers (CD, DVD):
  These data carriers can be mechanically shredded with a shredder. In case of optical data carriers, the size of the particles must not exceed 160 square millimeters, in accordance with DIN 66399, level O-3; for higher protection requirements, it must be less than 30 square millimeters, level O-4. They can also be thermally destroyed, for which they must be heated to over 300° C for at least 60 minutes or incinerated at higher temperatures.

• Semiconductor memory ( SRAM , DRAM , EPROM , EEPROM , USB stick, flash memory, SSD hard disk, PCMCIA cards):
  These data carriers can be mechanically shredded using suitable equipment. The devices shall comply with security level E-4 according to DIN 66399. They can also be burned. In the process, they must be heated to over 800°C for at least 15 minutes.

• Smart cards:
  Smart cards can be incinerated or mechanically shredded with a destruction device. For normal protection requirements, shredders of security level E-4 according to DIN 66399 should be used.

The appropriate procedures for deleting or destroying the data or data carriers found in the institution depend on the type of data storage, the data carriers and the degree to which the information requires protection. It must also be taken into account for which further use the data carrier is intended. Therefore, a requirements analysis should be performed prior to selection in order to find suitable procedures.

The following questions, among others, should be answered:

• Which data types (on which operating systems and in which applications) and which data carrier types (e.g. optical or magnetic) with which data volumes (e.g. megabytes, gigabytes, terabytes) should be securely deleted?

• How high is the protection requirement of the data stored on the data carriers?

• How big is the data carrier itself? Does the result of the destruction meet the need for protection?

• Were or are the data carriers used in a protected area?

• Are tools already in place to delete and destroy information? Are these appropriate for the identified protection needs and the types of data media present?

• What types of erasure and destruction procedures exist for the identified protection needs and the types of data media present? How much training is required to use them reliably?

• What is the expected quantity of media of a type to be erased or destroyed?

The deletion of data or destruction of data media should be carried out promptly at the workplace so that the data media do not have to be stored temporarily if possible. As a rule, this also restricts the group of people who handle the data carriers and increases security.

Depending on the protection needs of the information and the media used, other tools or equipment must be used to reliably erase or destroy the data. Some tools and equipment are expensive to purchase or not easy to operate correctly. It may therefore make sense to conclude service contracts with external parties for this purpose. For this purpose, the discarded data carriers must be collected within the institution. For this purpose, burglar-proof containers should be placed at suitable locations and emptied regularly.

Destruction equipment is subject to wear and tear through normal use. Improper use or destruction of data carriers for which the device was not intended can cause damage to the device. A regular check of the particle size must therefore be carried out, for example by a simple visual check against the data in the equipment manual.

It must be documented in a comprehensible manner which procedures for deletion and destruction have been selected for the various types of data and the respective protection requirements and how they are to be applied.

Employees must be instructed in the selected procedures for deleting and destroying information, especially if they are to use the appropriate tools themselves.

Testing Questions:

• Have appropriate deletion or destruction procedures been established for the different types of data and their respective protection needs?
• Have employees been instructed in the procedures for deleting and destroying information, especially the use of available tools and equipment?
• Are suitable devices and tools available for the various types of data carriers to reliably erase or destroy the stored information?
• Is the result of the destruction checked regularly?
• Does the destruction process selected for a data carrier meet the state of the art ( e.g. size of the data carrier)?

Status: 04 2016