There are now over 800 registered IT recycling companies in the UK, the majority of which were established after the introduction of the WEEE Directive in 2007. What is of most concern is that an alarming number of these companies are not providing a bonafide service, which could leave you liable.
Legislation regarding IT recycling & disposal (WEEE Directive) is complicated enough, so to assist you in selecting a reputable IT recycling company, we have put together a number of basic questions to ask and information you should request, including some tricks of the trade to look out for.
This is a mandatory legal requirement. All IT recycling companies must possess a Waste Carrier License.
Formerly known as a Waste Management License. This is currently a contentious issue as many IT recycling companies are trading under exemption licenses thus saving considerable cost. The Environment Agency is aware of this and is reviewing the situation.
Whilst not currently a legal requirement we would strongly recommend that you choose an IT recycling company with an Environmental Permit for the added peace of mind that this brings.
IT recycling companies must provide you with both a Hazardous Waste Consignment Note and a Duty of Care Transfer Note on the day of collection. These forms have to be signed by representatives of both the customer and the disposal company.
Ask any prospective IT recycling company to forward you samples of the forms they provide. If they cannot or will not supply these forms we strongly suggest you look for an alternative company.
Although not a legal requirement, reputable IT recycling companies should provide you with an asset report providing you with a detailed breakdown of equipment collected. A useful report will include:
Can the company provide you with detailed weight reconciliations of what equipment went where and in the event that the equipment was recycled can they provide a breakdown of the raw materials that were harvested during this process? Many large IT recycling companies and organisations are focusing on carbon off-setting and this information can prove invaluable.
There have been a number of high profile cases recently where leading IT recycling companies have fallen foul of the Data Protection Act by allowing sensitive and/or privileged information to reach the public domain. In most cases this can be traced back to the IT recycling company who simply did not take appropriate measures to erase or safeguard their client's information.
The only NSCS (formerly CESG) or 'Government approved' data erase software suites are Blancco, White Canyon or Tabernus. You should receive a detailed certificate for every hard drive that is successfully erased. Ask your prospective recycling company for a sample certificate and if the data erase software is not one of the three aforementioned products then you need to look elsewhere. We use White Canyon overwriting software as it is the only software in the world to meet common criteria EAL 4+ and is approved by the likes of IBM, Cisco and Microsoft.
In terms of sensitive data your equipment is at its most vulnerable between the point of collection and return to the company, yet many IT recycling companies (including some well-known ones) continue to use 3rd party carriers to collect your equipment, although they won't always tell you this at the time. Ask your prospective recycling company to confirm their transport arrangements. Do not underestimate the importance of this element of the recycling and disposal process.
Of the 'national' IT recycling companies that claim to use their own vehicles, many will try to 'sub out' collections when the location is too far away or not cost-effective for them. We receive 2 or 3 calls per week from competitors asking if we would 'partner' with them and collect from these remote locations on their behalf. We have yet to accept any of these kind offers.
Desirables here would be satellite tracked vehicles, own staff and timed collections.
The Data Protection Act affects every company or organisation and is arguably the most important element of the recycling and disposal process. The Data Protection Act 1998 is the main piece of legislation that governs the protection of personal data in the UK. Any business holding personal data is legally obliged to comply with this Act. The Act defines eight data protection principles.
Whilst detailed information is readily available online, it is the seventh principle that is the most relevant when it comes to disposing of your redundant IT assets. In practice, it means you must implement appropriate security measures to prevent the personal data you hold being accidentally or deliberately compromised, both on and away from your premises.
The most common misconception is that IT recycling companies will assume liability for any such data breach once they have collected the equipment. Not true. The reality is that the IT recycling company only assumes responsibility once the customers equipment is booked into their facility. Even then and in the event of a data breach, who do you think would be worse off in terms of damage to brand image, a relatively unknown IT recycling company, or household name organisation? Even if the IT recycling company hold indemnity insurance (very rare and usually not worth the paper it is written on), the damage will already be done.
In summary you should choose an IT recycling company who can demonstrate a robust and secure service at allstages of the disposal process, from collection through to final recycling.
With the increasing number of high profile cases where large organisations are being fined heavily for data breaches, many companies are finally realising the importance of protecting their data and/or ensuring it is destroyed correctly. An increasing number of companies are requesting on-site media destruction for not just hard drives, but also data tapes and optical media. Although you may not need this service now, you may well in the future. Can your IT recycling and disposal partner offer this service?
Always check that your quotation includes everything. Many IT recycling companies will charge you extra for things that we think should be standard and not necessarily pointed out at the time of quotation. Some examples are as follows:
One of the tricks of the trade is to offer customers a rebate for equipment which is often expressed as a 'percentage' of fair market value. 50% or 75% is not uncommon, however 75% of not a lot is exactly that. The rebate value often turns out to be less than the customer's expectation. There is no reason why an IT recycling company cannot give you a fixed value up front, so you know exactly where you stand.
Unfortunately our industry has more than its fair share of cowboy operators. There are now over 800 registered IT recycling companies, yet less than 10% of these can genuinely provide a bonafide secure service and have the accreditations to back this up. Cost should not be your primary decision-making factor, however as the industry has become increasingly competitive you should be able to find a reputable recycling and disposal company who can still provide a cost effective-service.
Request a site visit. Again you will be amazed at the difference in set-ups. A flashy website can hide a multitude of sins. If the IT recycling company appears reluctant to offer a site visit, look elsewhere. You don't even have to visit their facility, however the fact that they are willing for you to view their operations should give you a level of comfort and peace of mind.
There are enough established and reputable IT recycling companies to enable you to make a safe and informed decision when selecting your recycling and disposal partner. Accrediting bodies such as ADISA are a good source, as any ADISA member has to pass strict criteria in terms of security and scope of service.
In addition to the usual ISO 9001 and 14001 (should be prerequisites in your decision making process), look for ISO 27001 which should be on your highly desirable list, as this relates to data management and security.
Other desirables to consider are ISO 18001 Health & Safety and also Investors in People which are further evidence of better run IT recycling companies.