IT disposal: waste not


Let’s face it, there are much more interesting things to think about that
what to do with old IT equipment. It is usually the last thing that gets
considered if planning a new implementation. Perhaps it would be a bigger
business priority if companies realised that it was a ‘risk avoidance’ exercise
that could produce a positive cash outcome.

The most publicised risk is data security. From Paul McCartney’s charitable
donations to individuals’ bank account details and various emails from within
government, we have all seen the stories about information reaching the public
domain that should not have.

The day-to-day reality of data security for most businesses is rather more
mundane; one major risk is when old IT equipment is replaced ­ not just on
computer hard drives but also printers, PDAs, telephones, memory sticks, CDs and
other data storage means ­ the data on it is not controlled correctly and, as a
result, misused. The consequences of this misuse are at best embarrassment and
at worst can pose a serious commercial risk.

Any reputable businesses should have a security policy to cover the obvious
risks that exist within the business, and this should include a section stating
policy and procedure for data security. If an organisation does suffer a breach
it should be a comfort to the organisation and its customers that it can
demonstrate it did have procedures in place to prevent it.

Within my own organisation we have ISO 27001, a specific accreditation
relating to information security within our company and how we aim to protect
the data we hold on our own systems, not just how we deal with data we are
contracted to dispose of. But whether or not a business goes down the ISO27001
route, they should carry out a risk assessment of data within their business and
develop a data security policy that deals with it.

Systems and media being disposed of by an organisation need to have their
data erased, or indeed, the medium on which data is being held destroyed if the
risk assessment denotes this. We have a policy that all our own server drives
are ‘degaussed’. Although this renders the drive and the data inoperable, the
small loss of value of the drive was inconsequential compared to risk.

For normal desktop equipment, best practice is to use a data erasure software
tool. We have standardised across our 10 EMEA processing locations on Blancco.
This is a guaranteed process that allows us to provide ‘certificates of
destruction’ to clients
for their data and a full audit trail of how that data was handled.

The environmental impact of obsolete IT has gained a lot of publicity in the
last few years; driven by our increasing awareness of our impact on the planet
but also by the recent introduction of the WEEE (Waste Electrical and Electronic
Equipment) legislation across Europe and this year within the UK.

The WEEE legislation is very ambiguous and has led to misunderstandings about
manufacturers’ obligations regarding the take-back of old IT equipment. The most
popular misconception is that when a manufacturer or reseller sells a new item
it is obliged to collect an old one. This is not correct.

Following recent clarification from the Department for Business, Enterprise
and Regulatory Reform, producers are responsible for the recycling of their
market share of equipment, but they are not responsible for collecting it from
the customer’s

premises and can nominate where the customer should deliver old kit to.
Bearing in mind that the WEEE legislation will not be a free answer to redundant
IT hardware, what’s the best way to deal with it? It is likely that of all the
IT equipment your business is looking to get rid of, only some of it will be
suitable for recycling. Some equipment, particularly if it is less than four or
five years old, will retain some commercial value.

Many organisations are interested in your redundant equipment because there
may be value in it. They will simply extract the valuable equipment and pass on
the residue product which has no value. The cheapest way of getting rid of this
type is to sell it by the container to China and India. The downside to this
option is that it will be dismantled in horrendous conditions using child

If your organisation does not want to contribute to this practice, then it
must be sure that the organisation it disposes through has a full audit trail of
who does the recycling. It is simpler if the organisation does its own recycling
in house and can provide an auditable explanation of where everything ends up.

Once the product has been audited, tested and wiped, it needs to be sold for
its ‘fair market value’. Any reputable organisation will be able to produce a
guide as to what they will expect to achieve in terms of sale value for the
product. These can then be compared so that you can choose the company that can
offer you the best value back.

Neal Saunders is managing director of Dataserv

Related reading