Once upon a time, not so very long ago, it was commonplace to see unwanted IT equipment tossed into skips outside office buildings. Nowadays, IT asset disposal is (fortunately!) a largely regulated activity, which protects personal and commercially confidential data as well as safeguarding the environment from the effects of dumping heavy metals into landfill and waterways.

Once equipment leaves the ownership of a company, or is returned from lease, the company’s responsibilities do not end there. It is critical to ensure that data is disposed of properly as well as the physical equipment. Whether the equipment is sold, donated to charity, returned to its manufacturer or sent for recycling, data sanitisation must be executed and must be certified as having been completed.

These guideline go a long way to ensuring compliance with all relevant regulations.

Draft An Equipment Disposal Strategy And A Policy

The strategy informs the disposal process and is primarily an internal IT document, while the policy is for the benefit of staff. The significant benefit of drafting a disposal strategy is that sufficient thought will have been given in advance to all aspects of equipment disposal, from data sanitisation of devices right through to proper eventual disposal to landfill in an environmentally safe manner. The strategy is usually an internal IT department document that also assigns roles and responsibilities. The policy document is intended for general distribution to all members of staff that informs them of the correct procedures to follow under a number of scenarios.

Comply With Data Protection And Environmental Regulations

The three sets of statutory regulations that must be complied with are:

• Data Protection Act (1998)
• EU General Data Protection Regulation (GDPR)
• Waste Electrical and Electronic Equipment Regulations (2013) (WEEE)

Consider Independent Verification

Independent verification of all certified actions acts as a safeguard against fraud, theft and the human propensity for genuine errors. Equipment entrusted to an individual for secure disposal often has monetary value, and there is always scope for fraudulent activity between individuals in otherwise highly trusted and reputable organisations.

Outsourcing Considerations/Best Practices

If outsourced, only an IT asset disposal company with relevant public liability insurance should be employed. Insurance cover must start from the moment they take possession of equipment and should cover both hardware and data.

If outsourced, it is preferable to select a company that is certified by ADISA (Asset Disposal and Information Security Alliance) which ensures that the highest standards of environmental responsibility, safety and confidentiality will be deployed. Selecting such a supplier demonstrates that appropriate Due Diligence has been applied to the end-to-end disposal process.

Data Sanitisation Best Practices

Whoever is responsible for data sanitisation (in-house or outsourced) must be able to guarantee that it has been fully executed and provide a certificate to that effect for each individual asset that was submitted for cleansing.

If the relevant media (e.g. HDD) has not been destroyed then the data must be comprehensively deleted and cleansed using software approved by CESG (Communications-Electronics Security Group, part of GCHQ).

Be cloud-aware in that device settings may need to be reset, especially as they may access data in the cloud. Also, users of cloud accounts that were linked to a device may still retain access to that device.

Retain all certificates as artefacts of proof in the chain of evidence records for each asset that is subject to data sanitisation, regardless of whether it is being disposed of or not.

Get More Information

Download our free Guide To The 6 Hidden Dangers of Non-ADISA Accredited IT Recycling and learn how to avoid critical risks that can cost your business and your job.