Step 5: Wipe the data
Data wiping (also referred to as device or data ‘sanitisation’ or ‘erasure’) is the process of removing all files and data from a device to ensure that no information from the original user can be accessed or viewed by a new user. LOTI’s research into device upcycling has revealed that many organisations are put off running upcycling schemes due to fear of data breaches from their retired devices.
- Do we have the resource and/or capability to conduct data wiping in-house?
- If the devices have been sourced internally, has or will the data be wiped by our organisation (on site) or will this be undertaken by our upcycling service provider?
- If the devices have been sourced via a donor, will they wipe the data on their site or will this be undertaken by our upcycling service provider?
- If data wiping is to be undertaken by our upcycling service provider, what data wiping standard or certifications do we need?
- Do we require the devices to be wiped within a certain timeframe?
- Do we need an audit trail and certification for each device?
- Take a proportionate approach to risk when determining what data wiping standards need to be met.
- Include a section on data wiping in your device upcycling policy.
- Explore the options for data wiping as early as possible by engaging with your IT team, especially if your organisation does not allow data wiping by a third party (e.g. an upcycling service provider).
- For donated devices, make sure you understand the donor’s data wiping preferences from the start so you can plan ahead.
- If a data wiping audit trail (certification for each device) is required, ensure these requirements are captured in any discussions with the donor organisation and your upcycling service provider.
- If your organisation does not have a device upcycling policy or data wiping policy, seek advice from your relevant Data Officer, Information Officer and/or IT team.
- Visit the National Cyber Security Centre (NCSC) website for more advice on data wiping.