Most organisations reach the end of a technology refresh focused entirely on the next purchase. The outgoing equipment, a stack of laptops, a server rack, a drawer full of decommissioned phones, gets tagged for disposal and largely forgotten. But what happens after that hardware leaves the building matters more than most businesses realise. The risks are documented, they are escalating, and in Victoria the regulatory environment has made the consequences of getting this wrong more serious than at any point before.
The Data That Stays Behind
Deleting files does not remove data. A factory reset does not reliably clear storage. Research consistently shows that around 90% of second-hand hard drives, laptops, and memory cards still contain recoverable data when they reach the secondary market or a recycling facility. For businesses, that is not an abstract statistic. It means customer records, employee files, financial data, and intellectual property may be sitting on discarded hardware right now.
Our team sees this in practice. Equipment that arrives at our Victorian facility having already been "wiped" by an internal IT department frequently still contains data that standard recovery tools can extract within minutes. The method of disposal, and the standard to which data destruction is performed, matters far more than most organisations account for in their asset retirement plans.
Between 10% and 20% of cyber incidents in Australia are linked to the disposal phase of IT assets, a window where access controls are relaxed and the chain of custody is broken. It is an exposure point that formal ITAD processes are specifically designed to close.
What the Law Requires
Australia's Privacy Act and the Notifiable Data Breaches (NDB) scheme create clear obligations around how businesses handle personal information, including on the storage media they dispose of. If data is recoverable from discarded hardware and causes harm, the business that originally owned that hardware can be held accountable under the NDB scheme, regardless of whether a third party physically handled the disposal.
Victoria's Environment Protection Act 2017 adds a second layer. Electronic waste has been banned from landfill in Victoria since 2019, and enforcement has become substantially more rigorous in recent years. Infringement notices now commonly range from $1,000 to $3,000 per breach, with maximum penalties for corporations reaching $1.8 million under the Act. Poor e-waste handling now carries dual compliance exposure, environmental and privacy, at the same time.
What Poor Handling Actually Looks Like
It is rarely a deliberate decision. It tends to happen through process gaps: equipment stored in a back room for months with no disposal plan, IT refreshes where a supplier offers to "take care of" the old gear without any documentation, hard drives assumed destroyed without written verification, or devices ending up in a general skip when a fit-out project runs behind schedule.
Each scenario creates real exposure. Without a documented chain of custody, a business cannot demonstrate that equipment was handled correctly. Without a verifiable destruction record, meeting the NDB scheme's requirements becomes very difficult. Without proper recycling through a facility operating to AS/NZS 5377, the environmental obligation under Victoria's landfill ban remains with the original asset owner, not the recycler.
Why the Risk Profile Has Changed
The secondary market for electronic components has grown considerably. Devices that would simply have been scrapped a decade ago now have commercial value, which means they move through more hands before being finally processed. Each handover is a potential point of data exposure.
At the same time, enforcement has become more active. The Office of the Australian Information Commissioner has increased its capacity to investigate and penalise NDB breaches. Victoria's Environment Protection Authority has maintained consistent focus on illegal e-waste disposal. The likelihood of remaining undetected after a breach, whether a privacy breach or an environmental one, is lower than it used to be.
Conclusion
E-waste handled without a clear process does not disappear. It creates liability. The regulatory framework in Victoria, the requirements under the Privacy Act, and the realities of data recovery from discarded hardware mean the consequences of getting this wrong have grown materially. Understanding those consequences, before the next refresh cycle, is the most practical step a business can take.