DW124. IT Disposal
{{org_field_logo}}
{{org_field_name}}
IT Disposal Policy
Policy Statement
This information technology (IT) asset disposal policy is concerned with managing the secure disposal of equipment owned by the organisation but no longer required.
IT equipment such as computers, tablet computers, mobile phones and digital storage devices are vital and valuable assets to any modern organisation. IT equipment, for example, is used in most modern administrative processes which involve creating or handling information, some of which may be confidential and sensitive to individuals or to the organisation.
The disposal of such equipment, due to its need for replacement or upgrade, or merely because it has become obsolete, surplus or redundant, is an issue because:
- IT equipment may contain data or information that must be protected
- the equipment represents an asset value
- the equipment may be reused or recycled
- the equipment must be disposed of safely according to the law and in an environmentally sustainable way.
{{org_field_name}} aims to ensure that all of its IT equipment is managed effectively, including its disposal. The organisation understands that responsible IT asset management and disposal is essential for compliance with the Data Protection Act 2018.
Procedures
In {{org_field_name}}:
• this policy relates to technological equipment that can record or hold data, including:
a) PCs
b) laptops
c) tablets
d) mobile phones
e) multi-functional devices — printers/scanners
f) servers
g) fax machines
h) USB memory sticks and external hard drives
• managers should identify all such devices and ensure that these are recorded in an asset register
• all IT equipment which has been purchased by the organisation must be recorded on the register and have an asset tag assigned to it; where practical, the asset tag will be physically visible on the equipment stipulating that it is the property of the organisation; asset numbers should be recorded in the asset register
• the asset register should be used to record not only purchase and value information, but also the form used and date of disposal
• all staff and managers must follow the approved disposal/destruction methods for equipment to ensure that the risk of any loss of sensitive information or data breach is minimised
• all IT equipment that is identified for disposal should be accompanied by an Equipment Disposal Verification Form and an entry included in the asset register
• any IT equipment that has the potential to store sensitive data and which is no longer needed or has reached its “end of life” must have its data securely deleted/wiped and sensitive data deemed unreadable and unrecoverable before:
a) redistribution or reuse within the organisation
b) decommissioning and disposal
• all such equipment should be processed by a registered and approved contractor to securely remove any personal data
• when agreeing a contract with a professional equipment disposal service, the management of the home should obtain clear evidence of sufficient data security arrangements, including a written statement regarding confidentiality, destruction methods, and indemnity should the contractor fail to adequately destroy information; companies should comply with the ISO 27001:2013 IT Asset Disposal Standard
• IT and data equipment should not leave the organisation’s premises unless a chain of custody is established relating to the data contained within the device; this means establishing who is responsible for deleting the personal data contained on them
• deleting visible files, emptying files from the “Recycle Bin” of a computer or reformatting a drive are not considered a sufficiently secure method of wiping equipment, as data recovery software could be used by a new owner to “undelete” files or “unformat” a drive
• in the event that IT assets containing sensitive information are no longer needed by {{org_field_name}} and cannot be securely wiped, the equipment may need to be physically destroyed
• in all cases, the Equipment Disposal Verification Form should be completed and signed and kept with the asset register
• redundant IT equipment should not be donated to charities/schools, etc
• managers should ensure that any equipment that is leased has a data destruction clause written into the contract. Under such an arrangement, the supplier will ensure that data is wiped when it is returned.
Waste Disposal
Computer monitors, printers, scanners and fax machines are defined as hazardous waste due to the metals and chemicals used in their construction, and arrangements for their disposal must be handled in compliance with the organisation’s waste policies.
{{org_field_name}} must comply with its requirements under the Waste Electronic and Electrical Equipment Directive (WEEE). Small amounts of obsolete or broken IT equipment that has been effectively wiped of any data or does not contain any data storage potential can be disposed of through the electrical waste stream at a municipal site, or disposed of via the manufacturer or an electrical supplier.
IT equipment must never be disposed of through general waste routes. It is illegal to mix computer waste with general waste or to send untreated computer waste to landfill.
Responsibilities
Staff and managers in the organisation are responsible for compliance with this policy. They are responsible for all IT equipment being appropriately data cleansed before disposal, and then for the appropriate destruction or disposal of equipment in compliance with waste regulations.
All managers and staff have responsibilities under the Data Protection Act 2018 to have appropriate security in place to prevent personal data held from being accidently or deliberately compromised. This is relevant in the IT asset destruction and recycling processes.
Linked Policies
This policy should be read in conjunction with the organisation’s other policies and procedures relating to data protection and waste disposal.
Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next review date: this policy is reviewed annually (every 12 months). When needed, this policy is also updated in response to changes in legislation, regulation, best practices, or organisational changes.
Copyright ©2024 {{org_field_name}}. All rights reserved