denisovd - Fotolia

Avoiding security issues when recycling hardware

What are the options for the environmentally and ethically responsible recycling of end-of-life hardware, without compromising data security?

Each year companies have to deal with an increasing amount of obsolete hardware. This is equipment that is under-powered or out of warranty, but nonetheless working and still functionally useful. The bulk of this equipment is typically desktop PCs and laptops, but the same also applies to peripherals, such as monitors, USB hard-drives and projectors.

Simply storing these computers means expensive floor space is being taken up. The problem has now reached the point where it is not uncommon to find IT departments inundated with piles of redundant computer hardware. Not only does this pose a potential trip-hazard and a risk of heavy items toppling over, but it also presents a poor impression to any guests visiting the office.

Computers include many components that are made from potentially harmful materials, such as lithium and mercury, which are toxic to the environment, as well as valuable resources including precious metals. As such, current legislation prevents companies from disposing of this hardware in landfill sites.

To comply with the Waste Electrical and Electronic Equipment (Weee) European Union Directive, which is managed by the Environment Agency in the UK, companies must ensure their hardware is recycled responsibly.

Many companies allow staff to take their obsolete hardware for home use, in return for a small fee. These funds can either be used to offset the expense of buying new hardware, or as a donation to a nominated charity. However, this approach is not without some dangers.

There have been several incidents in the past where old computers have been sold, only for their new owners to discover that they can still access files. One example of this, from 2007, was when case notes about vulnerable children were discovered on a computer that had previously been owned by Southend Borough Council and had been sold on eBay's auction site by a third-party recycling firm.

There is a dangerous and commonly held assumption that re-installing the operating system will ensure all files are deleted. This is not true. All this process does is remove the links to the previously saved files, which can be easily found using data recovery software, such as Recuva by Piriform.

Professional data wiping tools

To ensure their data is not retrievable, companies need to use professional data wiping tools, such as Blancco, which is approved by the Ministry of Defence. This software wipes all of the previously saved files from a computer’s hard-drive, or any form of hard-drive for that matter, by overwriting the entire hard-drive with meaningless data, essentially copying over the existing files in such a way that they are unrecoverable.

There are also free versions of data-wiping software available on the internet, such as Active Kill Disc. These are not as robust or thorough as the paid-for versions of software, but can be an acceptable alternative for computers that have never been used to process sensitive information – personal or commercial data, for example.

Once the memory has been thoroughly wiped and checked, companies are then able to repurpose this hardware.

In recent years, many companies have become concerned they might contravene the Weee Directive by selling on their computer equipment. This is in fact not the case, as provided the equipment is working, the hardware is still classified as electrical and electronic equipment (EEE), rather than waste, and as such is not subject to Weee legislation.

In certain cases, exemption can extend to instances where companies donate equipment that does not work to a community sector refurbishment workshop. If the equipment is to be repaired and reused, it is not considered waste.

“Businesses need to check their obligations under Weee Regulations but should not be put off from donating usable electrical and electronic equipment, including computing equipment, they no longer need,” said a spokesperson for the Environment Agency.

“If, instead of being discarded, equipment will continue to be used, it will be classed as EEE and will not come under Weee until the point it is discarded or enters the waste collection system.”

Donating equipment

Sometimes, companies are able to simply donate equipment to schools and colleges in their area. However, there will be limitations as to what they can make use of. 

“We prefer to have all the same make and model of computers, as this makes it easier for the children,” says Kate Marsland, the head teacher at Morley Primary School in Derbyshire.  “That said, we are using iPads more and more often, and spending less time on computers or laptops.”

Some schools and colleges may also wish to use older hardware as practice rigs for students to gain hands-on experience with assembling computers.

There are many charities that will accept computers. However, this requires forward planning, as only charities that have a registered electrical technician working for them can accept computers or other forms of electrical equipment.

Likewise, some charities will only accept Windows computers but not Apple machines, or vice-versa. It is recommended that companies phone in advance to confirm that a charity is willing and able to accept redundant hardware.

Computers4Africa is a registered charity operating as a social enterprise, which accepts all forms hardware. The charity takes the donated hardware and distributes it to families in Africa where it is most needed. As well as computers – both desktops and laptops – they will also accept tablets, smartphones, monitors and “basically anything that goes into an IT room”.

Based in Kent, the company arranges drop-off sites throughout the country for a two-day period every few months. “If we have several companies in an area wanting to donate, we will send a lorry to go and pick them up,” says Sharon Roberts, the business development manager for Computers4Africa.

Its only stipulations are that the equipment is working, no more than eight-years-old and that any Macs come with the installation disc.

As part of this service, which is completely free, Computers4Africa will also wipe the memory of any hardware – using Blancco – to ensure the company’s files are wiped from the computer. However, those companies that deal in sensitive or confidential data may wish to perform the wipe themselves, in advance of computers leaving the building.

Hardware servicing

Due to the high cost of new hardware, some companies are unable to afford the expense of regularly updating batches of machines. Rather than making large capital investments for new hardware, a hardware servicing company can be contracted to manage this side of the company’s business.

An example of such a hardware servicing company is Agilitas, which operates throughout the UK and has strategic warehouses across the country to respond to service outages.

“We are focused on the equipment that is coming out of warranty and is classed as legacy,” says Agilitas operations director John Street. “End of life does not mean that it is dead, just that they need to have a reliable provider to prolong the life of equipment.”

For machines that come back to them, Agilitas wipe – using Blancco – and repurpose the computer to add it to what they call their datacentre. “We call it a datacentre, but really it is a computer room that has a vast array of machines in there across all different manufacturers and age,” says Street. “The parts we work on are tested in that environment in stress conditions, to ensure they are fit for purpose.”

Those machines that are not able to be repaired have all of their useful components salvaged, which can be recycled and later used in the repair of other machines. Like the rest of their inventory, these parts are tagged, which allows their engineers to interrogate the history of each part.

“If it seems to have been through the cycle too many times, we will take it out of the cycle [and classify it] as DOA – dead on arrival,”  says Street.

Companies that sell or donate their old and redundant computers to recycling firms need to ensure that they are fully compliant with all of the appropriate regulations, such as:

  • Weee
  • Producers of Hazardous Waste
  • Carriers of Controlled Waste
  • Environmental Permit T11
  • Data Protection Act

Usually, badges of compliance can be found on the recycling firm’s websites, but businesses can also check the appropriate registers to ensure the prospective firm has been suitably approved.

Companies need to pro-actively manage their redundant hardware and to responsibly distribute and/or dispose of it. In so doing, companies can reclaim valuable floor space and enhance their image within the community, while ensuring their data security remains uncompromised.

This was first published in November 2015

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

2 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchSecurity

  • Dissecting the Hack

    In this excerpt from chapter three of Dissecting the Hack: The V3RB0TEN Network, authors Jayson E. Street, Kristin Sims and Brian...

  • Digital Identity Management

    In this excerpt of Digital Identity Management, authors Maryline Laurent and Samia Bousefrane discuss principles of biometrics ...

  • Becoming a Global Chief Security Executive Officer

    In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, ...

SearchNetworking

SearchDataCenter

SearchDataManagement

Close