When it comes to disposing of computer equipment, how can you ensure that any storage media – such as hard drives, SSDs, flash drives, and similar devices – cannot be accessed by unauthorised users or have the data recovered?

Nowadays, virtually every electronic device contains some form of storage media. The National Cyber Security Centre (NCSC) reports that even decommissioned photocopiers and printers have been found to contain gigabytes of sensitive documents that were retrievable.

The NCSC has updated and republished guidance on how to properly sanitise and dispose of storage media. Here’s a brief overview of the key points:

Sanitising storage media
The NCSC recommends that any media storing sensitive data should be sanitised before disposal. Simply pressing ‘delete’ on your computer is not sufficient.

If storage media isn’t properly sanitised, there is a risk that sensitive data could be recovered by competitors or used for malicious purposes. This applies not just to equipment being sold or disposed of, but also when reallocating devices to new users or returning them to suppliers for repair.

Before sanitising
NCSC advises understanding what data is stored on your devices and identifying potentially sensitive items. It’s also vital to have a re-use and disposal policy in place, and NCSC offers a sample policy that can be used to help guide your process. It’s important to consider sanitisation requirements when making purchasing decisions for equipment.

Is the data encrypted?
When devices have encryption options, such as BitLocker on Windows or FileVault on macOS, life becomes much simpler. These often include a ‘factory reset’ option that deletes the encryption keys, rendering the data unreadable. NCSC confirms that after this process, the risk to sensitive data is minimal.

However, while this doesn’t guarantee that all data will be permanently inaccessible, NCSC advises that a factory reset on an encrypted device provides a satisfactory level of assurance.

What if the data isn’t encrypted?
If the device isn’t encrypted, then overwriting the data is essential, and you must verify that the overwrite was successful. Commercial tools are available to assist with this process.

In cases where sanitisation cannot be fully assured or there remains a risk that a skilled, well-funded lab could recover data, the NCSC recommends physically destroying the storage media, breaking it down into particles of 6mm or less.

For more detailed information, please refer to the full guidance.