Handbook of Business Procedures

20.7.2. DESTRUCTION OPTIONS FOR CONTROLLED OR CONFIDENTIAL  RECORDS

A. Introduction

Controlled or confidential information in master records, convenience copies, or transitory information records must be protected throughout the entire lifecycle of the records, including the destruction process. Master records that contain controlled or confidential information must be approved for destruction by Records and Information Management Services (RIMS) and destroyed following the steps in 20.5.4. Destruction Procedures and Form in addition to following the procedures that apply to the destruction of all controlled and confidential records.

B. Secure Destruction of Hard Copy Records Using Document Solutions Shredding Services

Document Solutions offers secure ongoing document destruction services of hard copy materials as well as some electronic media. These services can be arranged on a weekly, bi-weekly, or monthly basis as well as on a single-event basis. Document Solutions can provide a shred level that meets the National Institute of Standards and Technologies (NIST) Guidelines for Media Sanitation (Publication SP-800-88r2) requirement for destruction of paper and other media as required by the Texas Department of State Health Services and other grant sponsors for projects with animal and human subjects. Other vendors do not generally have this capability. The Document Solutions Shredding Services webpage provides more information on services, pricing, and a link to an online request form.

C. Secure Destruction of Hard Copy Records and Removable Media Using an External Vendor

Effective April 6, 2026, document destruction vendor ATI Secure Docs/Austin Task is no longer subcontracting for WorkQuest under the Texas Comptroller's state contract for shredding.

Departments may work with Business Contracts to contract directly with commercial vendors for destruction services. The department must ensure that vendor is in compliance with NAID AAA certification standards as well as any additional requirements needed for the type of confidential information that they will be destroying. Contact RIMS for assistance with concerns about commercial vendor security standards compliance.

D. Secure Destruction of Hard Copy Records Using a Departmental Shredder

Departments may use shredders to destroy controlled or confidential records internally, following university disposition policy requirements listed in 20.5. Disposition of Records – General Information. In order to shred controlled or confidential documents within the department, each department must have shredding procedures developed in its records management plan. For more information, refer to 20.4.3. Records Management Plan. The Departmental Records Management Plan should demonstrate awareness of the following requirements:

  1. Submit a Request to Dispose of Records Form to RIMS and obtain authorization before shredding master records. Convenience copies and transitory information do not require RIMS authorization prior to shredding. Do not assume a record is either a convenience copy or transitory information. Before treating records as convenience copies or transitory information, determine where the master record is held. If that determination cannot be readily made, or when in doubt, treat the record as a master record and submit a Request to Dispose of Records Form to obtain authorization before destroying the record.
     
  2. Protect controlled and confidential documents awaiting shredding through the use of locked cabinets, closets, or other areas not accessible to unauthorized personnel.
     
  3. Demonstrate that staff has been notified of departmental shredding policy and procedures.
    • Authorize a limited group of staff members to shred documents, and list their names in the department’s records management plan.
    • Ensure that those authorized to shred documents have reviewed the RIMS Disposition Handout.
    • Print and post a copy of one of the Before You Shred pages from the Disposition Handout on or near the departmental shredder or shred bin(s).


Shredding Security Level Requirements for Departmental Shredders

Departments and individual university employees may use departmental shredders to destroy master records that have been authorized for destruction as well as convenience copies and transitory information provided the shredder meets the security level requirements.

  • Level P1 and P2 strip-cut shredders cut strips of varying widths by the entire length of the page and can be used for Published data classification records.
  • Level P3 or P4 cross-cut shredders that produce shreds no larger than strip-cut 1/16-inch-wide strips or crosscut 5/32-inch x 2-inch or smaller pieces must be used for Controlled and Confidential records.
  • Level P5 and higher micro-cut shredders cut paper into small particles and may be required for certain types of confidential information.

Records related to certain types of research may need to meet the National Institute of Standards and Technologies (NIST) (Table A-1) guidelines. They must be destroyed using a micro-cut level 6 shredder that produces particles rather than shreds. Texas Department of State Health Services requires the P6 standard, and other sponsors for projects involving animal and human subjects may require the P6 standard as well.

Few, if any, departments have shredders that destroy to the P6 standard. The UT Mail document destruction service does provide P6 shredding. The UT Mail Services Shredding Services webpage provides more information and a link to an online request for service form.

Note: Consult with Records and Information Management Services (RIMS) prior to using options other than those listed above to destroy records containing controlled or confidential information.
 

 

Part 20. Records Management - Table of Contents