Guide to Upcycling Retired Digital Devices
How to Run an Upcycling Scheme

Step 5: Wipe the data

Data wiping (also referred to as device or data ‘sanitisation’ or ‘erasure’) is the process of removing all files and data from a device to ensure that no information from the original user can be accessed or viewed by a new user. LOTI’s research into device upcycling has revealed that many organisations are put off running upcycling schemes due to fear of data breaches from their retired devices.

Key considerations 

  • Do we have the resource and/or capability to conduct data wiping in-house?
  • If the devices have been sourced internally, has or will the data be wiped by our organisation (on site) or will this be undertaken by our upcycling service provider?
  • If the devices have been sourced via a donor, will they wipe the data on their site or will this be undertaken by our upcycling service provider?
  • If data wiping is to be undertaken by our upcycling service provider, what data wiping standard or certifications do we need?
  • Do we require the devices to be wiped within a certain timeframe?
  • Do we need an audit trail and certification for each device?

Top tips

  • Take a proportionate approach to risk when determining what data wiping standards need to be met.
  • Include a section on data wiping in your device upcycling policy.
  • Explore the options for data wiping as early as possible by engaging with your IT team, especially if your organisation does not allow data wiping by a third party (e.g. an upcycling service provider).
  • For donated devices, make sure you understand the donor’s data wiping preferences from the start so you can plan ahead.
  • If a data wiping audit trail (certification for each device) is required, ensure these requirements are captured in any discussions with the donor organisation and your upcycling service provider.
  • If your organisation does not have a device upcycling policy or data wiping policy, seek advice from your relevant Data Officer, Information Officer and/or IT team.
  • Visit the National Cyber Security Centre (NCSC) website for more advice on data wiping.