The actual steps involved in eventual physical disposal can very easily be outsourced to a competent third party but it is usually preferable to explore other avenues first. Repurposing, resale, returning to manufacturer or donating to charity are all preferable to recycling. However, data considerations must take extremely high priority. Every disposal represents a potential data security breach and should be treated appropriately.
Recycling Can Be Outsourced But Not Responsibility
Secure disposal of IT equipment is crucial for a business and if they get it wrong it can be costly. Businesses need to manage the entire disposal chain insofar as is possible. Whilst a UK company cannot control which bits of their equipment end up in landfill in a third world country, that company does have a duty of care to perform adequate due diligence on the operators of disposal services to ensure their policies are sound and rigorously applied.
Data Sanitisation Is A Critical Priority
When the ownership of an IT asset changes, that action should trigger the relevant portion of the company’s security policy. Retirement of equipment is the obvious candidate activity, but so too is passing a device from one employee to another. Ideally, all candidate equipment should be placed in quarantine until the data has been adequately cleansed. Until that happens, the device represents a security risk. Laptops have legs, as the saying goes, and forgotten laptops are prime candidates for theft. Wiping a HDD is not an adequate precaution – it needs to be either completely overwritten or smashed into smithereens. It is an activity that needs to be controlled and executed by competent individuals, and proof retained that is has been carried out satisfactorily. The relevant standard is HMG IA Standard No. 5 – Secure Sanitisation.
Understand Data Protection & Environmental Protection legislation
Ignorance of the law is no defence – that is a legal fact. The relevant regulations are the Data Protection Act, the EU’s General Data Protection Regulation (GDPR) and Waste Electrical and Electronic Equipment Directive (WEEE Directive).
As a starting point, individuals who are responsible for IT asset disposal should at least be familiar with the salient points of statutory requirements. Otherwise non-compliance can easily creep in. Environmental breaches, especially, may not come to light for several years, and can represent a ticking bomb unless the correct procedures were adopted from the outset. That implies retaining proof of compliance with best practices and legal requirements.
Record & Track Relevant Assets
Asset registers were traditionally a Finance Department tool. Nowadays they are a critical element in the chain of evidence that should prove that all statutory requirements were complied with. That proof may be demanded by law enforcement agencies, by stakeholders, shareholders, PR department or any other party with a legitimate interest in the disposal history.