When a laptop, server, or copier leaves your office, the data on it does not automatically leave with your control. Deleting files and formatting drives does not destroy data, and retired hardware is one of the most overlooked sources of business data breaches. Here is where the risk hides, and how to remove it properly.
Here is the misconception that creates most retired-hardware data breaches: people believe that deleting files, emptying the recycle bin, or formatting a drive removes the data. It does not. Those actions simply tell the operating system that the space is available to be overwritten. Until it actually is overwritten, the underlying data remains, and readily available recovery tools can bring it back.
This is why a hard drive sitting in a box of old equipment, a decommissioned server in storage, or a laptop handed to a staff member to "wipe and keep" is a live data risk. The information is still there. For a business, that information is rarely trivial: it is customer records, financial data, employee details, contracts, and credentials, all of which carry obligations under the Privacy Act.
The only ways to reliably remove data are certified data sanitisation to a recognised standard such as NIST 800-88, or physical destruction of the storage media. Anything less leaves recoverable data on equipment you no longer control. ITC performs both under an ISO/IEC 27001:2022 certified data destruction process.
Deletion leaves dataDeleting files and emptying the recycle bin only marks space as reusable. The data remains recoverable until overwritten.
Formatting is not enoughA standard format does not securely erase data. Specialist recovery tools can reconstruct files from a formatted drive.
Stored hardware is live riskDecommissioned servers and drives in a storeroom still hold readable data and remain your responsibility under the Privacy Act.
It is not just filesSaved credentials, cached logins, and certificates on old devices can open a path back into your live systems.
Data-bearing components are in far more devices than most businesses realise. These are the retired items that most often leave an office with recoverable data still on them.
Internal HDDs and SSDs retain everything until securely sanitised or destroyed
RAID arrays and storage drives hold the most concentrated, sensitive business data
Multifunction devices have internal hard drives that store scanned and printed documents
Email, accounts, saved passwords, and app data persist after a basic reset
Routers, firewalls, and switches store configurations and network credentials
Old hard drives, SSDs, USB sticks, and backup tapes in drawers and storerooms
Point-of-sale terminals retain customer and payment-related data
Medical and lab devices increasingly contain storage holding sensitive records
A data breach from improperly disposed hardware is both a legal and a reputational event. The numbers below are drawn from named public sources.
A repeatable process turns retired hardware from a liability into a documented, compliant disposal.
Inventory all retired and stored equipment, including loose drives, old phones, and copiers. You cannot secure what you have not counted.
Flag everything with storage, not just computers. Printers, networking gear, and POS terminals all qualify. Classify by data sensitivity.
From the moment equipment is collected, it should be tracked and documented. ITC collects under an ISO/IEC 27001:2022 certified chain of custody.
Sanitise to NIST 800-88 with Blancco where the device will be reused, or physically destroy the media for high-sensitivity data. See data destruction.
A serialised Certificate of Destruction listing each device by serial number is your evidence of compliance. Recover residual value through buyback where equipment still works.
Removing the data risk does not mean destroying every device. Equipment in good condition can be securely wiped to NIST 800-88 with Blancco, keeping it functional, and then redeployed internally or sold through buyback. You still get the tamper-proof erasure certificate, and you recover value rather than paying to destroy a working asset.
Both permanently remove data. The right choice depends on whether the device will be reused and how sensitive the data is.
| Factor | Certified Data Wiping | Physical Destruction |
|---|---|---|
| Method | NIST 800-88 sanitisation with Blancco | Shredding or degaussing |
| Device after | Remains functional, can be reused | Destroyed, cannot be reused |
| Best for | Working equipment for redeployment or resale | High-sensitivity data, or failed and legacy drives |
| Value recovery | Yes, supports buyback and reuse | Material recycling only |
| Evidence | Tamper-proof erasure certificate per device | Serialised Certificate of Destruction |
ITC Asset Management handles retired IT hardware end to end across Sydney, with certified data destruction and documentation at every step.
NIST 800-88 sanitisation with Blancco, plus physical destruction for high-sensitivity media. Serialised certificate for every device.
Data Destruction →Physical destruction of HDDs and SSDs, with on-site witnessed shredding available so media never leaves your site intact.
Hard Drive Shredding →Working equipment is securely wiped and assessed for resale, returning value to your budget with data destruction included.
Asset Buyback →Common questions about data on retired IT hardware and how to remove it safely.
No. Deleting files or formatting a drive only marks the space as available to be overwritten. Until it is actually overwritten, the data remains and can be recovered with readily available tools. To reliably remove data you need certified sanitisation to a standard such as NIST 800-88, or physical destruction of the media.
Yes. Most office multifunction printers and copiers contain an internal hard drive that stores images of documents that have been scanned, printed, or copied. When these devices are retired, that drive must be sanitised or destroyed just like a computer drive, or the documents remain recoverable.
Australian Privacy Principle 11.2 requires organisations to take reasonable steps to destroy or de-identify personal information once it is no longer needed. Recycling a device does not satisfy this, the data must be destroyed first. Serious or repeated breaches can attract significant penalties under the Privacy Act, which the OAIC enforces.
If the equipment still works and you want to reuse or sell it, certified data wiping to NIST 800-88 removes the data while keeping the device functional. For high-sensitivity data, failed drives, or legacy media, physical destruction by shredding or degaussing is the safer choice. Both produce a certificate as evidence.
A serialised Certificate of Destruction that lists each device by serial number along with the destruction method and date. For wiped equipment, a tamper-proof erasure certificate is issued per device. These are your evidence of compliance for an auditor, regulator, or ESG report. ITC provides both under an ISO/IEC 27001:2022 certified process.
Yes. Working equipment can be securely wiped to NIST 800-88 and then resold through buyback, returning value to your budget. The data is destroyed first under chain of custody, so value recovery and data security are not in conflict.
From certified data destruction to responsible recycling and asset buyback, ITC handles every aspect of your e-waste and retired hardware, with serialised certificates at every stage.
