Secure collection, data deletion and upgrading of IT equipment
Level: Core
The purpose of the requirement is to promote the reuse of equipment that the organization no longer needs.
Details
- Type:
- Special contract terms
- ID:
- 11179:1
- Group:
- Services for reuse and recycling of computers and monitors
Criterion text
The supplier must no later than x (to be filled in by the procuring organization) monthsprovide a reuse and recycling service for collecting/taking back end-of-life equipment and that includes at least the following:
-
Collection
-
Confidential handling, including de-identification of the equipment
-
Secure data deletion (of this is not carried out internally by the contracting organisation). Secure data deletion can be done in accordance with NIST 800-88 or an equivalent standard. Physical data deletion can be done according to DIN 66399 (H5 and E5) in the event of hardware failure that makes it impossible to delete data using software
-
Operational testing, servicing and upgrades
-
An offer to upgrade the equipment
Upon the request of the contracting organisation, the supplier shall outline in writing how it complies with the contract term, and it shall be able to substantiate the information provided.
Verification
By submitting its tender, the supplier accepts that this special contract term shall be fulfilled at the specified time.
Proposed follow-up
Request information from the supplier relating to how the special contract term is fulfilled at the specified time, for example:
-
Request a written description as outlined above.
-
How does the supplier manage confidential handling and safe data management? This can be done by, for example, requesting an ISO 27001 certificate, an ISO 9001 and ISO 14001 certificate or other documentation that shows that the company manages the equipment in a secure manner.
-
How is de-identification done, ensuring that all kinds of marking have been removed from the devices so that they cannot be traced back to previous users?
-
How is data deletion performed? Request data destruction certificates; that is, certification showing that data on information carriers, such as hard disks and backup tapes have been erased or destroyed. These shall have serial numbers.
-
Is data deletion carried out in accordance with the standards shown in the requirement, or the equivalent? Ensure that the supplier offers to upgrade the equipment.
Versions history
The version date indicates when the sustainability criterion was created or last updated. Last reviewed dated tells when we last checked that the sustainability criterion still is relevant.
- Current ID
- 11179:1
- Version date
- 2023-02-08