This publication is no longer current or has been superseded.
The first step for any disposal process should be to remove any stored data and information from the equipment. As noted in the Introduction, these Guidelines are not intended to replace the guidelines for government agencies provided by the Government Communications Security Bureau. They are included simply to draw attention to this issue because it is integral to environmentally sound ICT disposal practices.
All data should be removed from computer disk drives before disposal, and users should obtain documented evidence that this has occurred.
There are a number of alternatives available for achieving this. The option selected will depend on the level of confidentiality of the information stored on the hard drives. Agencies or companies dealing with classified information, such as the Ministry of Defence and the Ministry of Foreign Affairs and Trade, or sensitive personal information such as held by the Police or the Ministry of Health, will require the highest level of security. Typically this will involve in-house processes to security wipe hard drives and may even involve the physical destruction of the equipment. Other organisations may be able to rely on trusted computer recyclers and refurbishers to reliably data-wipe hard drives before the equipment is reused or otherwise disposed of.
Software products used for security wiping should produce certification of the security wiping. For example, if there is a bad sector on the hard drive that the software is unable to access, certification that the drive has been cleansed will not be produced. Other precautions (such as physical destruction) can then be taken to ensure the data cannot be recovered.
Three techniques are commonly used for media sanitisation: overwriting, degaussing20 and destruction. In most cases, overwriting provides an acceptable level of security if recognised software and processes are used. For classified and highly confidential information, overwriting is only acceptable if the equipment is to remain at the previous level of classification and remain in a secure, controlled environment.21
An internationally recognised standard for security wiping hard drives is that specified by the US Department of Defense Standard 5220.22-M for media sanitisation.22 This process involves randomly writing data to hard drives to write over the original information. This process is repeated a minimum of three times – triple overwrite (the first time with a character, the second time with its complement, and the third time with a random character). To achieve an even higher level of security, this process can be repeated a further four times, making a total of seven security wipes. The net result is randomly reformatted information recorded as a pattern of 0s and 1s.
(a) Use security-wiping software compliant with the US Department of Defense Standard 5220.22-M, or equivalent.
(b) Obtain certification verifying successful security wiping.
(c) Arrange physical destruction of hard drives with bad sectors. Drilling hard drives is preferred to acid baths.
(d) For organisations with classified or highly sensitive information, hard drives should be security wiped before leaving the organisation’s premises.
(e) Request evidence of chain of custody for the entire disposal process, including equipment collection, the data security wiping process, and removal of company-identifiable asset tags and stickers.
Although mobile phones and personal digital assistants (PDAs) are still viewed as different devices to desktop and laptop computers, there is a rapid convergence in functionality. Already it is possible to send and receive email and video communications on a mobile phone, and devices such as the Blackberry are increasingly taking over some of the functions more traditionally confined to a computer. The storage capacities of iPODs and other MP3 players, and even USB drives, already exceed the capacity of many older computers. This means that organisations need to exercise the same care in terms of security wiping these devices before disposal.
Users of GSM communication devices with SIM cards (mobile phones and data cards) have the option of removing the SIM card before disposal, thereby maintaining the confidentiality of their phone directories. They have the added advantage that the SIM card can be transferred to the user’s new phone. Users of Telecom cellphones do not have this choice and need to take steps to erase directory information.
Data cleansing of hand-held PDAs can be managed quite efficiently, and even remotely, as these rely on regular synchronisation with the organisation’s network. In the case of a unit being stolen or misplaced, the network can automatically delete all stored data and render the unit inoperable if unauthorised use is attempted. The same process can be used to security wipe the units before disposal. Physical destruction is not necessary.
(a) Remove SIM cards from all GSM mobile devices before disposal.
(b) Manually delete all directory information from Telecom phones before disposal by returning to the factory settings.
(c) Use the auto-synchronisation facility to delete all data in hand-held PDAs before disposal.
(d) Develop procedures and policies for restricting the storage of sensitive data on portable media, including cellphones, PDAs, USB drives, MP3 players, CDs and DVDs.
Suppliers should be required to take responsibility for equipment they supply when it reaches the end of its life.
The guidelines for buying ICT equipment presented above recommend that buyers specify a requirement for surplus equipment take-back or disposal via a credible refurbisher or recycler. For organisations dealing with relatively large volumes of equipment, this is not expected to present any difficulty. Suppliers of new equipment are generally very happy to arrange for the disposal of surplus equipment as part of the contract for new equipment - although often at a cost. However, this does not necessarily ensure the equipment will be disposed of in an environmentally acceptable way.
The IT/TV Product Stewardship Working Group is developing an industry-supported product stewardship scheme that is expected to reinforce take-back schemes. The Ministry for the Environment is also in the process of developing WEEE recycling guidelines that will link to the manufacturers’ product stewardship scheme. The Ministry expects this work to be completed early in 2008, at which time the guidelines will be published on its website; this will include guidelines for households. In the meantime, the best advice available has been published by the Ministry as the Safe Use and Disposal of Computer Equipment. It is primarily aimed at households, but the contact information is relevant to all.23
In computer procurement contracts, specify a requirement for take-back, or a reuse and recycling service that meets the Ministry for the Environment’s recycling guidelines, or an equivalent standard.24
Computer monitors present a special challenge in terms of environmentally friendly disposal. Currently there is no facility in New Zealand with the capability of recycling CRT monitors. While some are being landfilled, responsible recyclers are making efforts to find overseas markets where they can be converted into television sets or broken down, with 95 per cent of the materials being recycled. However, the cost of transport, typically to Asia or Australia, can not easily be recovered, and this is the current dilemma. In the meantime, refurbishers are doing their best to keep CRTs operating, but with the rapid growth in LCD displays the traditional markets for refurbished computers in New Zealand – schools and private citizens – are diminishing.
Although ultimate disposal may be something other users downstream need to deal with (computer monitors turned over by government agencies on average every three to four years can have many more years of useful service, for example), organisations should still seek to dispose of their equipment responsibly.
Ensure monitors are disposed of through a trusted refurbisher or recycler.25
There is little market for refurbished desktop printers, scanners or fax machines, because the cost of new equipment is now so low. Replacement parts such as print heads for inkjet colour printers cost almost as much as a whole new printer; and this presents a difficult if not impossible challenge for refurbishers. It should therefore be assumed that surplus desktop printers, scanners and fax machines will almost always be destined for recycling rather than refurbishment.
Ensure computer peripheral equipment and fax machines are disposed of through a trusted recycler.
The preferred method of funding multi-function printers is through a service charge based on the number of pages printed. In these cases, the hardware is not owned by the agency and responsibility for disposal remains with the supplier. In situations where the equipment is owned by the organisation, an effective take-back scheme is typically provided by the supplier of the new equipment.
Specify a preference for MFD service contracts rather than hardware purchase.
Both of New Zealand’s main service providers – Telecom and Vodafone – operate take-back schemes for end-of-life mobile phones. This differs from other countries, where the manufacturer of the handsets – Nokia, Motorola, Sanyo, Samsung and Sony Ericsson, for example – are expected to take a more active role in terms of producer responsibility. Given the relatively small size of the New Zealand market it is not necessarily inappropriate that the service providers have taken on this role without any direct contribution from the handset manufacturers.26
Both Vodafone and Telecom accept any handsets at their retail stores, by free post or office collection bins (currently Vodafone only) and arrange for them to be shipped offshore to certified recyclers for de-manufacturing, sorting, refurbishment and resale, or shredding and recycling.27
Require your service provider to supply a collection service, reuse and recycling service for surplus devices.
20 “Degaussing” the process of decreasing or eliminating an unwanted magnetic field.
21 Government Communications Security Bureau guidelines, p. 128. http://www.gcsb.govt.nz/publications/nzsit/nzsit-400.pdf.
22 US Department of Defense Standard 5220.22-M, Section 5: Software and Data Files. http://www.qsgi.com/usdod_standard_dod_522022m.htm.
23 Ministry for the Environment, The Safe Use and Disposal of Computer Equipment. http://www.mfe.govt.nz/publications/waste/safe-use-and-disposal-computer-equipment/.
24 The Ministry guidelines are to be published in 2008, at which time it may be appropriate to delete the option of “an equivalent standard”, as this could lead to uncertainty and debate in determining what is equivalent.
25 The Ministry for the Environment expects to publish recycling guidelines in early 2008 that will provide guidance in identifying “trusted refurbishers and recyclers”. In the meantime, the Computer Access NZ Trust (CANZ), funded by the Ministry of Education, accredits refurbishers to promote the reuse of surplus government computers in schools and the community.
26 The Ministry for the Environment has published a product stewardship case study on the cellphone sector; see: