As a compliance officer, IT asset disposition sits at the intersection of several regulatory frameworks you are responsible for managing. Data privacy, environmental law, industry-specific regulations, and workplace safety all converge when an organisation disposes of electronic equipment. Having a clear checklist ensures nothing falls through the cracks.
The Regulatory Landscape
IT disposal in Australia is governed by multiple overlapping regulatory frameworks. No single piece of legislation covers the full picture, which means compliance requires a coordinated approach across several domains.
The Privacy Act 1988 (Cth) is the primary legislation governing personal information. Australian Privacy Principle (APP) 11 requires organisations to take reasonable steps to destroy or de-identify personal information when it is no longer needed. This applies directly to any IT equipment that has stored personal data, which in practice means virtually every device.
The Notifiable Data Breaches (NDB) scheme requires organisations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm. Improper IT disposal that results in data exposure triggers these obligations.
Victoria’s e-waste landfill ban, in effect since 1 July 2019 under the Environment Protection Act, prohibits the disposal of electronic waste to landfill. Other states have similar or emerging requirements. The Environment Protection Authority (EPA) enforces these rules and can issue significant penalties.
Industry-specific regulations add additional layers depending on your sector. APRA’s CPS 234 applies to financial institutions. The My Health Records Act applies to healthcare providers. The Protective Security Policy Framework (PSPF) applies to government agencies. Each imposes specific requirements around how data and equipment must be handled at end of life.
Pre-Disposal Compliance Checklist
Before any IT equipment leaves your organisation, the following compliance steps should be verified.
Data classification review. Identify the highest classification level of data that has been stored on or processed by each device. This determines the required level of data destruction. Equipment that has handled highly sensitive data may require physical destruction rather than software-based sanitisation.
Legal hold check. Confirm that none of the equipment is subject to a litigation hold, regulatory investigation, or audit requirement that prevents disposal. Disposing of equipment subject to a legal hold can result in spoliation sanctions and adverse inferences in legal proceedings.
Licence and software audit. Verify that all software licences associated with the equipment are accounted for. Some licences need to be deactivated or transferred before disposal. Failing to manage software licences properly can create compliance issues with software vendors.
Asset register reconciliation. Confirm that the equipment being disposed of matches the asset register. Every device should be accounted for by serial number, with a clear record linking the physical asset to its register entry. Discrepancies need to be investigated and resolved before disposal proceeds.
Vendor due diligence. Verify that your ITAD provider holds current certifications, carries adequate insurance, and has been through your organisation’s vendor assessment process. This due diligence should be refreshed annually, not just at the start of the relationship.
During Disposal: Chain of Custody
The chain of custody from the moment equipment is decommissioned to the moment data destruction is verified is a critical compliance requirement. Any gap in the chain represents a period where equipment, and the data on it, is unaccounted for.
Your chain of custody should document when each device was removed from service and by whom, where it was stored between decommissioning and collection, who collected the equipment and when, how it was transported (including vehicle details and security measures), when it arrived at the processing facility, and when and how data destruction was performed and verified.
Each handoff point should be documented with signatures, timestamps, and serial number verification. Electronic chain of custody systems are preferable to paper-based ones because they are harder to falsify and easier to audit.
Data Destruction Compliance
Data destruction is the compliance area with the highest risk exposure. Your requirements should specify the destruction standard to be applied. NIST 800-88 Guidelines for Media Sanitization is the most widely accepted framework and defines three levels of sanitisation: Clear, Purge, and Destroy. The appropriate level depends on the sensitivity of the data and whether the media will be reused.
For each device, you need a certificate of destruction that records the device serial number and asset tag, the destruction method used, the date and time of destruction, the name and credentials of the person who performed the destruction, the verification method and result, and the standard against which the destruction was performed.
Verification is critical. For software-based sanitisation, verification involves reading back the sanitised media to confirm all data has been overwritten. For physical destruction, verification involves confirming the media has been rendered physically unrecoverable. Your compliance program should specify verification requirements and how verification evidence is documented.
Environmental Compliance
Under Victoria’s e-waste landfill ban, all electronic waste must be directed to licensed recyclers. Your compliance requirements should specify that no electronic waste is sent to landfill, that all recycling is performed by appropriately licensed operators, that hazardous materials (batteries, CRT glass, mercury-containing components) are handled in accordance with dangerous goods regulations, and that you receive environmental compliance documentation showing how materials were processed.
Request downstream recycling reports from your ITAD provider that detail where different material streams went for processing. This transparency helps you demonstrate compliance and also supports environmental reporting requirements.
Post-Disposal Documentation
After disposal is complete, compile and retain a comprehensive documentation package for each disposal event. This should include the collection manifest listing all equipment by serial number, certificates of data destruction for every device, chain of custody records covering the full journey, environmental compliance certificates, weight-based recycling reports, and any value recovery documentation.
Retain these records for a minimum of seven years. Some industry-specific regulations may require longer retention. Store the records securely and ensure they are accessible for audits, regulatory enquiries, or legal proceedings.
Ongoing Compliance Monitoring
Compliance is not a one-time activity. Establish a regular monitoring program that includes annual review of your ITAD policies and procedures against current regulatory requirements, annual audit of your ITAD provider’s facilities and processes, quarterly review of compliance documentation for completeness and accuracy, incident reporting and investigation procedures for any compliance exceptions, and regular training for staff involved in the disposal process.