Local Authority ITAD Deep Dive

Council ITAD: Why Local Authorities Can't Just Skip IT Equipment in the Bin

Over 40% of UK councils don't have documented ITAD policies. Here's what local authorities must do for proper IT disposal.

8 February 2026 · 8 min read

In 2021, a Freedom of Information request revealed that over 40% of UK local authorities did not have a documented ITAD (IT Asset Disposal) policy. This is startling when you consider the volume of sensitive data held by councils: housing benefit records, social services case files, electoral registers, council tax accounts, and planning applications.

Unlike private companies, councils operate under a transparency framework. If something goes wrong—a data breach from improperly disposed equipment, an ICO investigation, or a complaint from a member of the public—it's public record. The reputational cost and the political consequences can be significant.

What Data Do Councils Actually Hold on IT Equipment?

The range is broader than most people realise:

If any of this ends up accessible on a hard drive sold at auction, given to a school, or dumped in a recycling centre, the ICO will investigate. And unlike a private company, the council will be answering questions from the local press, opposition councillors, and concerned residents.

The ICO's View: Accountability and Transparency

The Information Commissioner's Office has been clear in enforcement decisions involving local authorities: ignorance is not a defence, and budget constraints are not an excuse. In the Newham Council case (2018), the council was criticised for failing to maintain asset registers and allowing equipment to be disposed of without proper checks. In the Plymouth City Council case (2020), unencrypted data was found on recycled computers.

Councils are public authorities under the Freedom of Information Act 2000, which means they're subject to a higher standard of accountability than private organisations. If a member of the public submits an FOI request asking "What is your process for disposing of IT equipment containing personal data?", the council has to answer. If the answer is "We don't know" or "We use a local contractor who collects it", that's a problem.

The Practical Challenge: IT Refresh Cycles and Legacy Equipment

Local authorities have complex IT estates. There might be Windows 10 laptops for office staff, rugged tablets for housing officers doing site visits, workstations in libraries and council offices, servers in on-premises data centres, and older systems still running critical services because the replacement project has been delayed for three years.

When equipment reaches end-of-life, it doesn't always get replaced immediately. Budget approvals take time. Sometimes equipment sits in cupboards, storage rooms, or building basements for months—or years—before anyone gets round to disposing of it properly. The longer it sits, the higher the risk that it gets forgotten, mislaid, or disposed of incorrectly during an office move or building closure.

A common scenario: a council department is moving premises. There's a tight deadline, a removal company has been hired, and someone notices a stack of old PCs in a back room. The removal company offers to "take care of them." Three months later, someone buys one on eBay and finds it still has access to the council intranet.

This is not hypothetical. It's happened multiple times to different councils, and every time the ICO investigation concludes that the council failed to maintain proper oversight of its IT assets.

The WEEE Regulations: A Legal Requirement, Not Optional

Since 2014, local authorities have been legally required to dispose of waste electrical and electronic equipment (WEEE) through authorised treatment facilities. The Waste Electrical and Electronic Equipment Regulations 2013 apply to councils just as they do to businesses.

This means:

Many councils are unaware that WEEE compliance and data protection compliance are separate requirements, both of which must be met. A contractor who offers "free IT recycling" might be WEEE-compliant but offer no data destruction certification. Conversely, a data destruction specialist might shred hard drives but send the rest of the equipment to landfill, breaching WEEE regulations.

A proper ITAD provider handles both: certified data destruction and WEEE-compliant recycling in a single process, with full documentation.

Budget Constraints and Asset Recovery: Turning a Cost into Revenue

Councils are under constant pressure to reduce costs. Every department is expected to find efficiencies, and IT disposal is seen as a cost centre. But it doesn't have to be.

Working IT equipment—even if it's 4 or 5 years old—has a secondary market value. Laptops, tablets, smartphones, and monitors can be resold after secure data wiping. For a council with 2,000 staff and a four-year replacement cycle, that's 500 devices per year. Even at modest resale prices (£50-£150 per laptop depending on model), that's £25,000 to £75,000 in recovered value annually.

For equipment that's truly end-of-life, WEEE recycling generates small returns from recovered metals (copper, aluminium, precious metals from circuit boards). It's not huge, but it's better than paying a contractor to take it away.

A good ITAD provider should offer:

  1. Asset valuation: An upfront estimate of what working equipment is worth.
  2. Flexible pricing: Either a service fee offset by resale value, or a direct payment to the council for high-value equipment.
  3. Transparent reporting: A breakdown of what was resold, what was recycled, and what revenue was generated.

This turns ITAD from a cost into a revenue stream, which makes it easier to justify proper investment in secure disposal processes.

What a Compliant Council ITAD Process Looks Like

Here's what councils should be doing:

  1. Maintain an IT asset register: Every device issued should be recorded with serial numbers, asset tags, user assignments, and disposal status. When equipment is decommissioned, it's logged as "awaiting disposal" rather than just disappearing.
  2. Centralise disposal through procurement: IT disposal should go through the same governance as any other contracted service. Framework agreements (like G-Cloud or local authority frameworks) provide pre-vetted suppliers and consistent pricing.
  3. On-site collection with chain of custody: Equipment should be collected directly from council premises by the ITAD provider, with a manifest listing every device. No informal handoffs, no "we'll leave it by the loading bay."
  4. Certified data destruction: Either on-site shredding (for high-risk equipment) or secure transport to a processing facility with full traceability. Certificates of destruction should be asset-level, not batch-level.
  5. WEEE compliance and recycling: Processing through an Environment Agency-registered facility, with waste transfer notes and recycling certificates provided as standard.
  6. Annual reporting for transparency: A summary report showing how many devices were disposed of, how much value was recovered, and confirmation of compliance. This makes it easy to answer FOI requests and demonstrate accountability.

Shared Services and Regional Frameworks: Making It Easier for Smaller Councils

Large unitary authorities and metropolitan boroughs typically have dedicated procurement teams and information governance officers who can manage ITAD contracts. Smaller district councils, town councils, and parish councils often don't.

This is where shared services and regional frameworks add value. Groups of councils in the same region can:

Examples of this already exist. The Hampshire ITAD framework covers multiple district councils across the county. The West Midlands Combined Authority has a shared ITAD service for member councils. These models work because they reduce complexity and cost while maintaining compliance.

The Political Angle: Public Trust and Accountability

Finally, there's the political dimension. Councils are trusted with residents' personal information. When that trust is broken—whether through a cyberattack, a data breach, or improper disposal of IT equipment—it becomes a political issue.

Opposition councillors will ask questions. The local press will run stories. Residents will lose confidence in the council's ability to handle their data securely. And if there's an ICO investigation, the enforcement notice is published on the ICO website for anyone to see.

Investing in proper ITAD isn't just about regulatory compliance. It's about demonstrating to the public that the council takes data protection seriously and handles residents' information responsibly. That's worth more than the cost of a compliance-focused disposal service.

Related: How councils procure ITAD services covers procurement thresholds, frameworks like ESPO/YPO, and winning council contracts.

References

Find certified ITAD providers

Browse the UK ITAD provider directory to compare certified suppliers by coverage, services, and compliance certifications.

Browse directory → Download free templates