The new DIN 66399 for destruction of data carriers


What is new?

Three protection categories

The determination of the protection requirements and the allocation of the protection class as well as the security levels serve the classification of arising data.

Six material categories

For the first time the norm defines different material classifications, also reflecting the size of the information presented on the data carrier (paper documents, optical, magnetic or electronic data carriers and hard drives).

Seven security levels

Instead of the previous five security levels, the new DIN 66399 now defines seven security levels. One major difference is the new security level P-4 with a material particle surface of maximum 160 mm², the previous level 4 becomes level P-5 and the previous level 5 becomes P-6. “Level 6”, which was not previously reflected in the DIN norm, will become level P-7.

 

Security levels according to DIN 66399 for information presentation in
original size, for example paper documents (P for paper)

 

 

Security level P-2

Recommended for instance for data carriers with internal data, which have to be made illegible. Material particle surface ≤ 800 mm2 or strip width ≤ 6 mm Strip length not determined.

Security level P-3

Recommend for instance for data carriers with sensitive and confidential information. Material particle surface ≤ 320 mm2 (for example particles 4 x 80 mm) or strip width ≤ 2 mm Strip length not  determined.

Security level P-4

Recommended for instance for data carriers with especially sensitive and confidential information. Material particle surface ≤ 160 mm2 and for regular particles: strip width ≤ 6 mm (for example particles 4 x 40 mm).

Security level P-5

Recommended for instance for data carriers with secret information. Material particle surface ≤ 30 mm2 and for regular particles: strip width ≤ 2 mm (for example particles 2 x 15 mm).

Security level P-6

Recommended for instance for data carriers with secret data in case extraordinarily high security  precautions have to be respected. Material particle surface ≤ 10 mm2 and for regular particles: strip width ≤ 1 mm (for example particles 0.8 x 12 mm).

Security level P-7

Recommended for instance for data carriers with strictly confidential data in case the highest security precautions have to be respected. Material particle surface ≤ 5 mm2 and for regular particles: strip width ≤ 1 mm (for example particles 0.8 x 5 mm).



Material classification according to the new DIN 66399

P

Information presentation in original size, for example paper, films, printing plates. Security levels P-1 to P-7

F

Reduced information presentation, for example micro films, foil. Security levels F-1 to F-7

O

Information presentation on optical data carriers, for example CDs/DVDs. Security levels O-1 to O-7

T

Information presentation on magnetic data carriers, for example ID-cards, diskettes. Security levels T-1 to T-7

H

Information presentation on magnetic data carriers, for example ID-cards, diskettes. Security levels T-1 to T-7

E

Information presentation on electronic data carriers, for example flash drives, chip cards Security levels E-1 to E-7


Determination of the protection requirement and allocation of the protection class


In order to respect the principles of economic efficiency vis-a-vis appropriateness when destroying data, it is necessary to categorise the data into protection classes. In this context, the degree of protection is crucial to the choice of security level with respect to the destruction of the data carriers.

Protection class 1:

Normal protection requirement for internal data. This information is determined and made available to bigger sized groups. Unauthorised disclosure would have limited negative effects on the company. Protection of personal data has to be ensured. Examples: not know-how relevant correspondence, personalised advertising, catalogues, circulars, notes …
 

Protection class 2:

High protection requirement for confidential data, which is accessible to a small circle of people. Unauthorised disclosure would have substantial effects on the company and could violate contractual commitments or laws. Protection of personal related data must relate to high requirements. Examples: know-how relevant correspondence like offers, inquiries, memos, posts, personal data …

Protection class 3:

Very high protection requirement for very confidential and secret data, accessible to a small circle of authorised people, whose names are known. Unauthorised disclosure would have serious, existence- hreatening effects on the company and would violate professional secrets, contracts and laws. Protection of personal data must be ensured thoroughly. Examples: management documents, R&D documents, financial data, confidential information …

 

 Protection classes

Additional information is also available in this booklet.