If you are disposing of IT kit in the UK, what compliant actually looks like
Most organisations do not get into trouble because they are malicious. It is usually because disposal is treated as a facilities task and the evidence trail is thin when someone later asks, where did that laptop go or how do you know that drive was wiped.
This checklist is aimed at UK organisations disposing of laptops, desktops, servers, phones, drives, and networking equipment. It is also useful for ITAD suppliers who want to show buyers they run a tight process.
1) Start with the basics: define the disposal outcome per asset
Before anything leaves site, decide what you are doing with each asset:
- Reuse or resale: device continues life
- Recycling: materials recovery
- Destruction: typically storage media and high risk items
Maintain an asset register with serial or asset IDs, device type, storage type, and disposal outcome.
2) Data protection: secure disposal is not optional
The ICO expectations are practical:
- Use and document secure disposal methods such as wiping, degaussing, or shredding
- Store devices awaiting destruction securely with restricted access
- Keep a log of devices awaiting destruction and where they are held
If a device is going back into service, sanitise and verify. If media is damaged, unknown, or high risk, destruction is usually the sensible route. NCSC guidance is a strong reference point for your policy.
3) Chain of custody: the evidence buyers care about most
Chain of custody is simply whether you can show what happened to kit end to end. Good practice includes:
- Sealed containers at collection, or a documented equivalent
- Tracked movement from collection to secure storage to processing to reporting
- Batch separation so you do not mix customers
- Asset level reporting where possible
4) Waste duty of care: do not sleepwalk into it
If you produce or handle waste, including old IT equipment, you have a legal duty of care. For ITAD this usually means:
- Accurate description of the waste
- Transferring waste only to authorised persons
- Keeping the right paperwork
5) WEEE: know what it is and what it is not
WEEE is the regulatory framework around waste electrical and electronic equipment. It affects disposal routes and compliance conversations for UK organisations handling IT waste.
6) The evidence pack: what you should be able to show in an audit
Whether you are disposing of kit or providing ITAD services, you should be able to produce:
- Disposal policy with wipe and destroy rules
- Asset register and batch logs
- Chain of custody record
- Wipe or destruction reports, ideally asset level
- Waste transfer notes or consignment notes
- Supplier credentials and due diligence checks
Quick checklist
- Asset register updated with outcome and storage type
- Secure holding area for kit awaiting processing
- Sanitisation or destruction method defined per media type
- Chain of custody recorded end to end
- Waste transfer documentation retained
- Supplier due diligence recorded
Sources
- ICO - Disposal and deletion
- ICO - Destruction
- NCSC - Secure sanitisation and disposal of storage media
- GOV.UK - Waste duty of care code of practice
- Waste duty of care code of practice PDF
- NetRegs - Waste transfer notes
- GOV.UK - WEEE regulations
- WEEE regulations 2013 guidance notes PDF
- SEPA - WEEE disposal guidance for business PDF
Summary
A compliant ITAD process is clear on outcomes, data handling, chain of custody, and evidence. Keep your paperwork tight, link sanitisation methods to recognised guidance, and make your audit trail easy to produce.
If you can show a simple, repeatable process with the right records, you reduce risk for both the organisation and the supplier.
Find certified ITAD providers
Browse the UK ITAD provider directory to compare certified suppliers by coverage, services, and compliance certifications.