New standard DIN 66399
The new DIN 66399 replaces the hitherto DIN 32757. The most significant changes are:
Three classification levels
A risk analysis shall be carried out for the data carriers and the data contained assigned to one of the three classification levels. The classification level determines the security level which is chosen for the destruction of the data carriers.
Six material categories
For the first time the norm defines different material classifications, also reflecting the size of the information presented on the data carrier (paper documents, optical, magnetic or electronic data carriers and hard drives).
Seven security levels
Instead of the previous five security levels, the new DIN 66399 now defines seven security levels. One major difference is the new security level P-4 with a material particle surface of maximum 160 mm², the previous level 4 becomes level P-5 and the previous level 5 becomes P-6. “Level 6”, which was not previously reflected in the DIN norm, will become level P-7.
Identifying the sensitivity of data and assigning the classification level
In order for the destruction of data carriers to comply with the principles of economy and proportionality, the data contained on them shall be assigned a classification level. The security level which is chosen for the destruction of the data carriers is determined by the sensitivity of the data.
Classification level 1:
Includes security levels 1, 2 and 3.
Normal sensitivity for internal data: the most common classification of information, intended for large groups of people. Unauthorised disclosure or transfer would have limited negative effects on the company. Protection of personal data shall be guaranteed. Otherwise there is a risk that persons affected may suffer damage to their reputation and economic circumstances.
Classification level 2:
Includes security levels 3, 4 and 5.
Higher sensitivity for confidential data: the information is restricted to a small group of people. Unauthorised disclosure would have serious effects on the company and may lead to violation of laws or contractual obligations. The protection of personal data shall meet stringent requirements. Otherwise there is a risk that persons affected may suffer serious damage to their social standing or economic circumstances.
Classification level 3:
Includes security levels 4, 5, 6 and 7.
Very high sensitivity for confidential and secret data: the information is restricted to a very small group of persons, known by name, who are authorised to access it. Unauthorised disclosure would have serious, existence-threatening effects on the company and/or would lead to violation of trade secrets, contracts and laws. The protection of personal data shall be absolutely guaranteed. Otherwise, the life and safety of persons affected may be at risk, or their personal freedom may be jeopardised.
Important details related to the new DIN 66399:
• If it is possible for data controllers to destroy data carriers directly on site at any time, this increases security and is preferable to other methods, provided the selected security level is used.
• If there are data carriers with different security levels at the collection point, they should be sorted there by security level for economical and environmental reasons. If this is not possible, all the data carriers shall always be destroyed according to the higher security level. This is to minimize the risk of incorrect assignment leading to inadequate destruction of data carriers containing sensitive data.