DIN 66399 FOR DATA AND DOCUMENT DESTRUCTION

What is DIN 66399?

DIN 66399 consists of three parts. The first two parts are already recognised standards. The first part defines the terms and principles; while part two focuses on the requirements for machines for data and document destruction.

Part three of DIN 66399 (SPEC) is considered a “pre-standard”, which means that its status as an official standard is still pending. This part of DIN 66399 defines the processes involved in the destruction of data media. This results in clearly worded technical and organisational measures.

Various groups contributed to the definition and classification of the new standard: machine manufacturers, the German Federal Office for Information Security and various document destruction service providers were involved in the process.

What do protection requirements and protection class mean in the context of document destruction?

For the purposes of document destruction, data is divided into different protection classes to take into account the economic efficiency and the need for protection. The protection requirement depends on how much protection the data needs. Personal data, for example, needs a higher level of protection than advertising brochures.

The degree to which the data requires protection determines the choice of protection class and security level. This classification results in different technical and organisational measures that have to be fulfilled for document destruction.

Protection requirements, protection classes, security levels and the precise organisational measures are always determined by the “data controller”. The data controller is the owner of the data.

The different protection classes

Protection class 1 - normal sensitivity for internal data
This protection class applies to information that was intended for larger groups of people from the outset. If this type of data were to be compromised, the negative impact on the company would be limited. In the event of data protection violations, the affected party could only be slightly affected in their social position and economic circumstances.

Protection class 2 - high sensitivity for confidential data
Applies to information that is only intended for a smaller group of people from the outset. Data protection violations would have serious consequences for the company and could violate contractual obligations or laws. The affected party could therefore be significantly affected in their social position and economic circumstances.

Protection class 3 - very high sensitivity for particularly confidential and secret data
Protection class 3 pertains to information that was intended from the outset for a very small group of persons specified by name. Any data protection violations would have existence-threatening consequences or would violate professional secrets, laws and contracts.

The security levels at a glance

• Security level 1: General data – recovery with simple effort
• Security level 2: Internal data – recovery with special effort
• Security level 3: Sensitive and confidential data – recovery with considerable effort
• Security level 4: Particularly sensitive and confidential data – recovery with exceptional effort
• Security level 5: Data that must be kept secret – recovery with indefinable effort
• Security level 6: Secret high-security data – recovery currently not technically possible
• Security level 7: Top secret data – recovery impossible

Combination of protection classes and security levels

The table below shows the combinations of protection classes and security levels recommended by the DIN committee. The table clearly shows that the combination of a very low protection class with a very high security level and vice versa does not make sense from the committee’s point of view. The data owner (so-called “data controller”) is always responsible for the correct classification.

The assignment of protection classes and security levels

The following table enables you to assign the three protection classes and security levels. However, each case should be individually decided by means of a risk analysis. When dealing with data of different protection classes, it may be more economical to separate it according to the security levels and protection classes. However, if the data is mixed, the data media must be destroyed according to the highest protection class and security level.

Increasing the security levels

The destruction of documents in large facilities and the mixing and blending of large volumes of different data offers a further significant increase in security. In such cases, DIN 66399 allows for a higher security level while maintaining the same particle size.

However, the security level can only be raised by one step and up to a maximum of security level 4 if information is displayed in its original size. Since we destroy large quantities of material in our modern shredding facility, we meet this criterion.

Data media destruction process according to DIN 66399 SPEC

Part 3 of DIN 66399 (DIN 66399-3) is still merely a "pre-standard" (SPEC). This means that it is not yet a fully-fledged DIN standard. Despite this, it is already treated as a binding standard in the commercial environment.

The destruction of data media is understood as a complete process in which the individual process stages are to be examined, safeguarded and implemented. The data owner, i.e. the data controller, therefore remains formally responsible until data destruction has been completed. Once the agreed security level has been reached, the data is considered to have been deleted.

The entire process is usually divided up between the data controllers and external service providers. It is particularly important in this context to consider the segregation of duties and to define the technical and organisational measures.

3 possible process variants exist here:

Variant 1:  Data media destruction by the data controllers themselves
Variant 2:  Data media destruction by a service provider on site
Variant 3:  Data media destruction by an external service provider

Determination of the risk structure

After determining a process variant, it is necessary to check in advance whether the technical and organisational requirements of the corresponding protection class and security level are satisfied. When defining the protection class and security level, the data controller should answer the following questions:

• Which information is to be classified in which protection classes?
• Which security level should apply?
• Which of the 3 variants should and can be selected?
• Which technical and organisational measures should be defined for the overall process?

Certification according to DIN 66399

Simply order online now!

visit Web shop

Here you will find further helpful information: