Disposable income?
Are free and ‘we-pay-you' IT asset disposal services viable?
Some of the UK's top IT asset disposal (ITAD) players have stepped forward to remind end users they are taking a massive security gamble if they choose who they entrust their old kit to purely on price.
In June 2012, Brighton and Sussex University Hospitals NHS Trust was fined a record £325,000 by the Information Commissioner's Office after hard drives containing patient data were sold on eBay by a contractor it employed to destroy them.
That breach is symptomatic of the lax attitude many display when choosing a partner to help them dispose of old IT kit, some of the sector's key protagonists argue.
Although data protection may be a hot-button issue and has prompted an outpouring of spend on network security software, end users still often view those charged with handling their e-waste as merely "the IT dustmen", according to Steve Mellings, chief operating officer of industry body ADISA.
This has allowed an industry to develop which has few perceived barriers to entry, with even those organisations that handle sensitive information - such as NHS Trusts and police forces - often making procurement decisions based on price, he said.
There are 650 ITADs in the UK, but Mellings - whose association has monitored the sector since 2010 - said less than a tenth of the near-150 whose ITAD premises he has visited offer what can be regarded as secure services.
He was keen to highlight the issue following the launch of an ITAD outfit - CashForLaptops - promising firms cash in return for old laptops, monitors, networking equipment, printers and photocopiers. It is not the only "we-pay-you" service that has grabbed headlines in recent weeks after MP Aidan Burley plugged a firm in his constituency offering a similar business model.
Mellings warned end users to be wary of guaranteed free or we-pay-you offers, counselling that such business models may force ITADs to cut corners.
"There is a vast difference between ITADs. Some are very secure and then there are others that spend £1,000 on an environmental licence, lease a lock-up, buy some CESG-approved software and then put out a website and hit the clients on the phone saying we will collect the kit for free," he said.
Factoring in the costs
The per-unit cost of collecting and disposing of an old PC could typically stand at £19, ignoring fixed overheads such as warehousing, Mellings estimated. Fuel is the main cost, but the licences for overriding the software and testing, cleaning and readying the equipment for resale must also be factored in. This may make it hard for anyone guaranteeing cashback to make money, given that they will be selling it on the notoriously volatile broker market, he added.
"No professional company should be guaranteeing free as there is no way they can cover their costs," he said.
Mellings added that end users should be asking not only if the ITAD is an ADISA member (one of the market's largest and most well-respected outfits, Computacenter-owned RDC, is not a member), but also what CESG-approved data-overriding software it uses, what security it has, what vehicles it is using and whether or not equipment is satellite-tracked to the ITAD's premises. They should also enquire as to whether or not the premises are manned 24/7 and which employees have access to which parts of the building. In addition, ISO/BSI certifications are important, he said.
Mellings stressed he was not personally attacking either CashForLaptops or PRM Green Technologies but instead seeking to expose the ignorance and naivety prevalent among end users.
"End users who are switched on ask all these questions," he said. "Then there are others who ask you if you do it for free, and you can only roll your eyes."
Jan Smith, chief executive of EOL IT Services - an ITAD firm that has been operating since 1996 - claimed the press we-pay-you outfits are currently enjoying is a setback to the progress the industry has made in recent years.
EOL IT Services is one of 27 UK ADISA members, alongside such names as SCC, Sims Lifecycle Services and Hamilton Asset Management. All subject themselves to rigorous inspections and spot checks.
"This business is not about what I can get for my old kit," Smith said. "IT directors today are aware their jobs are on the line if they do not deal with the right organisations. If anyone is suggesting this business is all about money, they are off their trollies.
"It has taken me 17 years and cost me a huge amount of money to get to where I have got as I want to be taken seriously.
"For many years, the sector really needed to grow up and professionalise - and it has, in part due to ADISA. We have noticed that local authorities are rewriting tenders.
"Fifty to 70 per cent of our scores are still based on pricing but we have started to see them ask for us to be ISO approved and we are also seeing ADISA on the list of prerequisites.
"This [kind of story] devalues what we have worked so hard to achieve."
Smith said that although EOL IT Services often ultimately returns money to the client, those switched on to the dangers would never expect a cash return as a matter of course.
Mellings was agog that some end users will spend millions on CCTV, penetration testing and security software to protect their data, only to hand over old kit containing sensitive information to a main in a van with minimal accreditations.
Under the Data Protection Act, the company data controller is responsible for that data wherever it may be, even if it has been handed to a third party, as Brighton and Sussex NHS Trust discovered to its cost.
"Protecting your network is pointless if you then give your equipment to a company without doing proper due diligence," Mellings said.
ICO's recommendations for selecting an ITAD firm
- Choose an IT asset disposal company that provides sufficient guarantees about its security measures. You should be satisfied that your service provider will treat the personal data with the same level of protection, or better, as you.
- Look for independent approval of products used in the deletion process such as CESG, the UK government's national technical authority for information assurance.
- If possible, conduct a client site assessment and audit of your chosen disposal company. Continue to audit the data processor for compliance throughout the business relationship.