What’s on a Certificate of Destruction (and Why Auditors Ask For It)
A Certificate of Destruction (CoD) is the paper trail that shows sensitive documents were collected, handled securely, and destroyed beyond recovery. In Australia, organisations must take reasonable steps to protect personal information and, when it’s no longer needed, destroy or de-identify it. A CoD helps demonstrate those steps were taken under Australian Privacy Principle 11.
When teams outsource document shredding Sydney, the CoD becomes the enduring record of the job: who destroyed which materials, when, where, and how. That simple sheet can save hours during audits because it neatly links a disposal decision to evidence of action.
The details auditors expect to see
Auditors don’t just want a logo and a signature. They look for specifics that tie the service to your records register. Government recordkeeping guidance lists the kinds of information that make “proof of destruction” useful: the date of destruction, who performed it, which records were destroyed, and the authorisation that allowed it. Those elements are echoed in state templates used across the public sector.
A solid CoD includes:
Provider name and contact details
Your organisation’s name and service location
A unique job or certificate number
Date and time of destruction, and whether it was on-site or off-site
Description of materials destroyed (for example, HR files, finance boxes)
Quantity or weight
Destruction method and any referenced standard
Chain-of-custody notes or a witness field
These items line up with accepted recordkeeping practice and make later verification straightforward.
Why auditors keep chasing this document
External and internal auditors need sufficient, appropriate evidence to support their conclusions. Under ASA 500, evidence must be reliable, relevant and complete. A CoD meets that need because it’s contemporaneous, specific to the disposal event and created by a party with direct custody of the materials. Without it, auditors are left piecing together emails and calendar invites, which rarely holds up.
Auditors also map privacy obligations to operational controls. APP 11 expects reasonable steps both to protect information and to destroy or de-identify it when it’s no longer needed. Being able to produce CoDs on request shows your procedures move from policy to practice.
Standards and methods that often appear on certificates
Certificates sometimes reference a shred size or standard, especially for higher-risk files. The DIN 66399 framework sets seven paper security levels, from P-1 to P-7, where higher numbers mean smaller particles. For many office documents, providers cite P-3 or P-4; highly sensitive material may call for finer levels. Referencing a level helps an auditor understand the method, not just the marketing.
If you’re booking paper shredding Sydney, check the certificate or service confirmation for the stated level or method, and keep that with your retention decision note. The pairing of decision plus evidence makes file reviews quick later on.
What good chain-of-custody looks like
A CoD should align with how the material moved: collection point, transport, and destruction. Brief chain-of-custody notes or a witness field reduce disputes about who held the files and when. Some providers add vehicle IDs or route data; others include a checkbox stating the material went directly to an approved facility. While not mandatory, these touches strengthen reliability in the eyes of an auditor testing control effectiveness.
Engaging a paper shredding service Sydney should end with a clearly completed certificate, not a vague invoice line. Ask for the certificate at the time of service so it can be filed against the originating disposal request.
Due-diligence signals auditors like to see
Beyond the certificate itself, auditors look at the provider’s posture. Industry programs such as i-SIGMA’s NAID AAA Certification involve scheduled and surprise audits of destruction operations. If your provider holds this certification, note it in your vendor file and keep their current attestation with your CoDs. It’s not a legal requirement, but it does streamline audit conversations about vendor controls.
Providers offering secure document destruction Sydney sometimes publish checklists or security overviews. Keep a copy with your procurement paperwork so the evidence bundle covers policy, vendor assurance and event-level certificates in one place.
How long should you keep certificates?
Treat CoDs as business records. As a rule of thumb, most Australian business records must be kept for five years, with some categories needing longer. Keep CoDs at least that long, starting from the date of the related assessment or transaction. If your sector imposes longer retention on source records, align the certificate’s retention with that.
For regulated personal information, the OAIC advises entities to regularly take stock of what they hold and to destroy or de-identify when there’s no ongoing need. The CoD is your proof that the destruction step happened.
Practical tips before your next clean-out
Match each disposal decision to a specific job number so the certificate ties back to your register.
Ask the provider to list box counts or weights by department where possible. That helps with future audits and internal cost allocation.
For mixed media, note the method used for each type. Paper may cite DIN 66399; media devices may reference a different standard.
Store certificates in your records system, not someone’s inbox.
If your team regularly uses a Sydney document shredding service, schedule periodic spot checks on the paperwork so gaps don’t snowball near year-end.
A short closing point. A clear Certificate of Destruction isn’t busywork. It’s the practical proof that privacy obligations were met, your vendor did what you asked, and your records team can stand tall during testing. If your processes produce timely, complete certificates, audits feel lighter and risk conversations stay grounded in facts.
