Computer Equipment Disposal Policy
Policy agreed by the Information Governance Group (IGG) - Wednesday 11th January 2017
Also see Disposal of IT equipment - this explains how to dispose of old equipment, who to contact and how much it will cost
IT equipment must be disposed of via a University approved disposal contractor, who will physically destroy all storage media and recycle everything else.
Every computer or device comes to the end of its life at the University and is disposed of. There may be liabilities associated with the subsequent use of the equipment, and such systems may store information that is confidential; thus care has to be taken over their disposal.
Why it’s important
When you are clearing out a filing cabinet, you consider how papers should be disposed of. Some information will have such little intrinsic value to others that it can safely be thrown in an open waste paper basket; other papers could cause some embarrassment if others found them and thus sealed bin bags may be a preferable method of disposal; other documents contain particularly sensitive information, in which case shredding is essential.
The same considerations apply when disposing of IT equipment, where information and data are stored. In particular, if any personal or other confidential data may be present, then special care must be taken to ensure that this information is removed such that it cannot be accessed by anyone. There have been high profile cases where this care has not been adequately exercised; the Data Protection Act 1998 requires us to take these issues very seriously. It is also necessary to ensure any software licensed to the University is removed.
In addition, the University has obligations to any person receiving equipment in relation to its electrical safety that may represent a continuing liability - see the Electrical Equipment (Safety) Regulations 1994. Finally, there are environmental implications in dumping IT equipment - see the Environmental Protection (Duty of Care) Regulations 1991 and the Waste Electrical and Electronic Equipment (WEEE) Regulations 2013.
In this policy:
- IT equipment means servers, desktop or laptop computers, tablets and smartphones, plus peripherals such as printers.
- Confidential data – data classified as either Medium or High Risk (see Information Risk Classifications)
- Personal data – data concerning living individuals, as defined by the Data Protection Act (1998). This is a subset of confidential data. (Not all confidential data is personal – e.g exam questions prior to sitting the exam)
(a) IT equipment should normally be re-used within the University wherever possible. Reuse opportunities outwith the School / Institute / University Services Division should be sought if the system has an economic life. Here, it is necessary to ensure that all personal or other confidential data is removed. If there is any chance the system may contain such data, the storage media (e.g hard drives, solid-state storage) must be wiped. IT Services provide advice on which methods of wiping are best.
Where re-use within the University is no longer feasible, IT equipment must be disposed as below.
(b) IT equipment must not be sold or donated to any individual other than through the processes identified in this policy.
(c) IT equipment must not be disposed of via skips, dumps, landfill etc.
(d) The University will maintain one or more contracts with companies or other organisations relating to the disposal of IT equipment. The contracts will stipulate all storage media is removed and physically destroyed by shredding or crushing, before the rest of the equipment is reused or recycled. IT equipment must always be disposed of via one of these contractors. In the first instance, users should contact their local IT team, who may well have arrangements already in place.
(e) If personal or other confidential data may be present, it is also necessary to consider how this will be protected from going astray after the system is decommissioned until the disposal company come to pick it up (prior to physically destroying storage media). One method to minimise this risk is, if possible, to wipe the storage media, just in case. However, it is recognised this may not always be possible e.g where a disk has failed.
(f) It is acceptable within this policy to trade-in IT equipment to a supplier in part exchange for newer equipment. However, all storage media (e.g hard drives) must be removed first, and not traded in. The other considerations of this policy still apply.
(g) Disposal via charitable organisations is only acceptable in accordance with the requirements of section (7).
(h) Any charges relating to the uplift or other aspects of this policy are the responsibility of the School / Institute / University Service owning the equipment.
(i) Any University IT equipment used at home must be brought back for disposal according to this policy, when it’s no longer required.
Wiping of Storage Media
Relying purely on disk wiping to remove confidential data involves certain risks, including:
- The process might, for whatever reason, not work as intended, unexpectedly leaving data accessible.
- We may not be easily able to wipe a failed drive ourselves, but someone else with the necessary expertise or tools might be able to read it.
- During normal operation, when a working drive is written to, the controller may mark a potentially-failing sector as "bad" and continue to save the data elsewhere. Bad sectors may be inaccessible to normal software, including wiping software, but again, might be readable by someone with the necessary expertise or tools.
The above risks can be accepted where equipment is re-used within the University. However, for equipment leaving University possession, physical destruction of storage media by an approved contractor is normally required - see section 5(e).
With some older equipment, it is possible to remove the storage media (e.g hard drive). This provides a straightforward and safe way to ensure confidential data cannot fall into the wrong hands. However, this is not always possible. Any donation where storage media hasn’t been removed is allowed only if the equipment has not previously been used to store High Risk data (see Information Risk Classifications). Furthermore, in order that all risks are minimised to a degree the University can accept, those making or arranging such donations must develop and implement a documented procedure, to be agreed with the following University Services:
- IT Services
- DP / FOI Office
- Safety & Environmental Protection Service
The procedure must:
- identify the risks that could result in information falling into the wrong hands, and appropriate measures to deal with them
- identify all other legal/regulatory requirements to be complied with (e.g software licencing, electrical safety legislation, WEEE)
- cover all makes/models of equipment that may be donated
For each item of equipment being considered for donation, the procedure must ensure:
- both the original owner of the equipment AND their Head of School / Institute / University Services Division confirm the device was not used to store High Risk data, and sign statements to this effect.
- the device is comprehensively wiped, using methods which provide clear and verifiable confirmation the erasure has been 100% successful.
- an audit trail is be kept
If any of the above cannot be satisfied, the equipment must not be donated.
IT Services maintains information on University disposal contractors that meet the requirements of this policy - see Disposal of IT equipment.
For further information and advice, please contact your local IT support, or IT Services:
- IT Services - firstname.lastname@example.org - Ext. 4800