The ICT Asset Recovery Standard 8.0 exists in three different versions for the UK, European Union (EU), and the Rest of the World (ROW). In this article, the UK version of this standard has been used as a reference point. This standard is applicable to data processors or sub-processors in the UK involved in processing the personal data of individuals in the UK. The standard has applicability to data sanitisation of devices at the end of the rental period, end of life, end of lease maintenance, or recovery services provided that the IT assets will not be returned to the data controller. However, activities such as repairing IT assets without sanitising them at the service centers or reselling new IT assets are out of the scope of this standard.
There are two parts to this standard:
Part 1: Introduction and Explanatory Notes
This defines the purpose & scope of this standard and explains the auditing process for applicant ITAD companies. The standard aims at establishing a framework for secure data disposal of ICT assets, in order to mitigate risks associated with personal data of data subjects. This standard also ensures that ITADs (data processors and sub-processors) align with data protection requirements, manage e-waste responsibly, and follow best operational practices.
Further, the certification process is comprehensive and involves detailed assessment to ensure ITAD companies align with the purpose. There are several criteria based on which the company is assessed, ranging from credit score, incident & breach management to data transfer and risk assessment.
ADISA Audits for Certification:
The ITAD companies have to undergo a preliminary audit in order to become ADISA-certified members. After passing this first audit, they have to undergo two surveillance audits in a year on an ongoing basis. These audits are unannounced. If the compliance requirements are not fulfilled by the new applicant ITAD or the existing certified ADISA members within six months, then ADISA conducts a review regarding the revocation of their certification.
The ITADs are allowed to refuse surveillance only once, post which ADISA can return as early as within 24 hours. To refuse a surveillance audit for the second time, the ITAD companies need to have evidence-supported reasons; otherwise, they will have to follow the non-conformance process after their audit is classified as a ‘fail.’ Failure to meet the criteria or resolve identified issues during audits can result in revocation of this ADISA certification.
The surveillance audits are of 3 types:
- Data Capability Audit: The data capability statement & sanitisation tools used by the ADISA member for performing data destruction are assessed by the auditor. The aperture of the shredders and the outputs of the degaussers are checked by the auditor. Forensic tools are used on a range of processed media or products onsite to recover data from them.
- Process Audit: The auditor will check contamination and segregation by assessing the entire process control. Upon the auditor’s leaving, a sample of 10 or more devices with their paperwork will be requested.
- Security Audit: The auditor will attempt to either physically enter or gain access to the facility by improper means. Once identified, the security features of the site, like CCTV, are assessed by the auditor in order to analyse the effectiveness of the security system.
Part 2: Criteria for Becoming ADISA Certified ITAD Company
Unlike the first part, which explains the scope, information governance, surveillance audits, and related subjects, the second part gives detailed information on the criteria against which an applicant ITAD company is assessed for becoming an ADISA-certified ITAD provider. This is defined across four sections:
- Section 1, Business Credentials: The objective of this section, which runs through modules 1-6, is to guide the data controller or data processor in evaluating the suitability of the data processor or data sub-processor. The critical assessment aspects covered include financial screening, insurance held, screening of staff, confirmation of licences, continuity of business, and health & safety standards.
- Section 2, Compliance with UK GDPR and UK Data Protection Act 2018: This section comprises of 10 modules. It assesses the major aspects of complying with UK GDPR and UK-DPA, such as records of processing activities, limiting data transfers, transparency & accuracy of claims, hiring a Data Protection Officer (DPO), incident & data breach management, etc. Chapter 4 of UK DPA 2018 and UK-GDPR state detailed compliance requirements.
- Section 3, Risk Management: This section expands through five modules that explore the risks that can arise during the IT asset recovery process and the measures to prevent such risks. Module 4, Data sanitisation is a critical element in this section, which will be explained in detail later in the article.
Generally, IT asset recovery companies’ business involves physically transferring assets that contain data-bearing media from the customer’s premises to data sanitisation facilities where data wiping activities will occur. The movement of these assets and the data sanitisation process is critical for meeting data protection regulations and security protocols. The core principles of this section range from the identification of the Data Impact Assurance Level (DIAL*), the capability of the processing facility, logistics, onsite services, and data sanitisation.
* DIAL is a standard that is determined by the data controller and derived from their perspective on the variables, which are risk appetite, threat, volume of data, category of data, and impact on them of a data breach.
- Section 4, Non-Data Service: This section outlines 2 modules addressing additional services offered by ITADs post data processing and sanitisation like recycling of product material, resale of wiped equipment, and waste management. The core principles here include compliance with waste management, legislation & promotion of product reuse.
Certification Criteria & Data Impact Assurance Levels
Within each of the above sections, there are modules that lay stress on specific areas relevant to each section. The evaluation criterion is classified into categories as mentioned in Page 22, Part 1:
- Essential (mandatory; minimum service specifications)
- Highly Desirable (optional; more than the basic requirement)
Data Impact Assurance Level (DIAL)
The DIAL framework (Levels 1,2, and 3) helps evaluate whether the applicant's ITAD services align with the security and data impact needs of their clients.
- DIAL 1 criteria is mandatory for certification.
- Meeting DIAL 2 and 3 requirements allows applicants to achieve higher DIAL ratings and cater to clients with advanced security needs.
To obtain a specific DIAL rating, all criteria within the level must be fulfilled by the applicant ITAD.
To become ADISA certified, an ITAD applicant must pass ADISA’s full audit, which then results in one of the following:
- Pass with Distinction: Meets all the essential and DIAL requirements. (Score of 90% or above achieved)
- Pass with Merit: Meets all the essential criteria, DIAL 1 and DIAL 2 requirements. (Score of 75%-89% achieved)
- Pass: Meets all the essential criteria and DIAL 1 requirements. (Score of 60%-74% achieved)
- Fail: If the company does not pass the audit, the specific requirements that were not met will be outlined in the audit report. The company will then follow the audit non-conformance process according to Section 9.0 of the ADISA Standard 8.0 Scheme Manual.
In order to successfully pass the audit, the applicant must meet all essential criteria and requirements of DIAL 1.
Conclusion
In conclusion, the ADISA ICT Asset Recovery Standard 8.0 is crucial for ITAD companies striving to meet industry-leading data security standards, maintain trust with clients, and contribute to safe data handling. It helps ITADs align their operations with environmentally responsible processes in the asset recovery sector. Additionally, the standard recognises companies that exceed the required criteria by awarding them higher DIAL ratings, further emphasising their commitment to excellence in data security and sustainability.
+1-844-775-0101
