Why Contractor Device Returns Require Special Attention
Contractors, consultants, and temporary workers are a significant part of the Australian workforce. Many organisations provide these external workers with IT equipment for the duration of their engagement, or allow them to connect their own devices to corporate systems. When the engagement ends, the devices used by contractors need to be handled with the same data security rigour as equipment from permanent employees, and in some cases, even more carefully.
Contractor device returns often fall into a gap between IT management and procurement or HR processes. The contract manager knows when the engagement is ending, but may not coordinate with IT to ensure devices are returned and sanitised. The IT team may not have full visibility of which contractors have company equipment or what data they have accessed during their engagement.
Data Risks Unique to Contractor Scenarios
Contractors frequently work across multiple clients, sometimes simultaneously. A contractor who uses a single laptop for work across several organisations creates a cross-contamination risk where data from one client could end up accessible to another. When the contractor’s engagement with your organisation ends, their device may contain your data alongside data from other clients.
Short-term contractors who rotate through the organisation on brief engagements may use devices that have been assigned to multiple contractors in sequence. If devices are not properly sanitised between assignments, each new contractor could potentially access data from previous users.
Contractors working on sensitive projects, such as system integrations, security assessments, or data migrations, may have had elevated access privileges during their engagement. The devices they used during this work may contain credentials, configuration files, network diagrams, and security documentation that poses a significant risk if not properly destroyed.
Agency workers and labour hire staff add another dimension. The staffing agency may own the device, the worker uses it at your premises, and your organisation’s data ends up on equipment controlled by a third party. The lines of responsibility for data destruction can become blurred.
Establishing a Contractor Device Management Framework
A robust contractor device management framework starts before the engagement begins. When a contractor is onboarded, the IT team should record what equipment is being issued, what systems and data the contractor will have access to, and who is responsible for equipment return at the end of the engagement.
For contractors using company-issued equipment, the same asset tracking that applies to permanent employee devices should be extended to contractor assignments. The asset register should note the device serial number, the contractor’s name, the issuing date, the expected return date, and the contract manager responsible for ensuring return.
For contractors using their own equipment (contractor-owned BYOD), the organisation should require enrollment in its mobile device management platform as a condition of network access. This provides the ability to selectively remove company data at the end of the engagement without affecting the contractor’s personal data or data from other clients.
The Return Process
Contractor device returns should be triggered automatically as part of the engagement end process. The contract manager, HR liaison, or procurement team should notify IT when a contractor’s engagement is ending, with enough lead time for IT to prepare for the device return.
On the contractor’s last day, the device should be collected by IT staff or returned to a designated collection point. The device should be checked against the asset register to confirm that the correct device, along with all issued accessories and peripherals, has been returned.
For remote contractors, the same secure shipping procedures used for remote employees should apply. Pre-paid, tracked shipping with tamper-evident packaging, initiated before the engagement formally ends, ensures the device is in transit before the contractor loses motivation to complete the return.
If a contractor fails to return equipment, the contract should include provisions for recovery, including the ability to charge the contractor or their agency for unreturned equipment. More importantly from a data security perspective, any company data accessible from the unreturned device should be secured through remote wipe, password resets, and access revocation.
Data Destruction on Returned Contractor Devices
Every device returned by a contractor should undergo full data sanitisation before being reissued to another user, whether that user is another contractor or a permanent employee. The NIST 800-88 standard should be the benchmark for sanitisation of contractor devices.
Do not assume that a contractor has deleted company data before returning the device. Even well-intentioned contractors may not understand the difference between deleting files and properly sanitising a device. The organisation should always perform its own verified sanitisation regardless of any steps the contractor claims to have taken.
For contractor-owned devices enrolled in MDM, a selective wipe should be initiated at the end of the engagement. Verify that the wipe has completed successfully before removing the device from the corporate MDM platform. If the selective wipe cannot be verified, consider whether additional steps such as password changes and access token revocation are needed to protect company data.
Devices used by contractors on sensitive projects may warrant more thorough handling. If the contractor had access to financial systems, customer databases, or security infrastructure, consider using physical destruction for the storage media rather than software-based sanitisation, particularly if the device will not be reused.
Between-Assignment Sanitisation
For organisations that maintain a pool of devices assigned to contractors on a rotating basis, sanitisation between assignments is critical. Each new contractor should receive a device that has been verified clean, with no residual data from any previous user.
A fresh operating system installation after each assignment, preceded by a full disk sanitisation, provides the cleanest starting point. Using imaging tools to deploy a standard build after each wipe ensures consistency and reduces the time needed to prepare devices for new assignments.
Documentation and Compliance
Maintaining records of contractor device returns and data destruction is important for privacy compliance and for managing the organisation’s relationship with its contractors. A log of all contractor device assignments, returns, and sanitisation activities provides evidence that the organisation takes its data protection obligations seriously and handles contractor data responsibly.
This documentation also supports internal audits and can be valuable if questions arise about how a particular contractor’s access was managed or what data they may have had access to during their engagement.