The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

IT disposal

Need to get rid of old computers?

IT equipment often contains personal information, so it's important to dispose of it safely.

You may want to consider:

  • Creating an asset disposal strategy
  • Risk assessing the disposal process
  • Identifying the devices containing personal data
  • Using a third party service provider
  • Selecting an IT asset disposal company
  • Drawing up a contract with the data processor
  • Managing the asset disposal process and data processors
  • Assigning an asset disposal champion

Download our IT asset disposal guidance (pdf)


Why do I need to dispose of IT equipment securely?


Serious data breaches can lead to serious financial penalties.

In June 2012 the ICO fined an NHS Trust £325,000 following a data breach affecting thousands of patients and staff after a number of unscrubbed hard drives containing sensitive personal data were sold on eBay.


1 in 10 second hand hard drives sold online contain personal data, according to a YouGov survey carried out for the ICO.


65% of UK adults give their old phone, computer or laptop to another user once they no longer need it.


"Appropriate technical and organisational measures must be taken to avoid accidental loss or destruction of, or damage to, personal data".

- Principle 7 of the Data Protection Act


When disposing of old IT equipment you should:

  • ensure that the responsibility of asset disposal is assigned to a member of its staff with a suitable level of authority;
  • complete a full inventory of all equipment that you have marked for disposal;
  • be clear about what will happen with devices when you no longer need them;
  • consider the security vulnerabilities associated with each method of disposal;
  • ensure you delete personal data before recycling devices, so that data is not accessible to others after the device has left your ownership;
  • be aware that any specialist service provider you use will be considered to be a ‘data processor’ under the DPA; and
  • have a written contract in place between you and the data processor, ensuring that there is an appropriate level of security in place.