POPIA and Old Hard Drives

Dr Jan van Niekerk | 08 March 2026 |
POPIA and Old Hard Drives

Old hard drives are where data incidents hide, because they leave production controls but still carry personal information, credentials, and business secrets. For a CIO, decommissioning is not a back-office task, it is a POPIA risk decision.

By the end of this article you will be able to design a defensible, auditable disposal process for HDDs, SSDs, NVMe, tapes, and end-user devices. You will also have a sign-off checklist your team can use to select sanitisation methods, manage operators, and retain evidence for auditors and incident response.

Note for South Africa:

  • POPIA applies to both private and public bodies, and it drives when you must delete, destroy, or de-identify personal information records.
  • Public bodies can also be restricted by National Archives rules, meaning you may need written disposal authority before you destroy or erase records.
  • If decommissioning uncovers a potential compromise, align your escalation path to the Information Regulator’s eServices process.

At a glance:

  • Decide whether retention is still authorised, if not, trigger destruction, deletion, or de-identification with evidence.
  • Pick a sanitisation method by media type and risk level, and document why, do not rely on format or file delete.
  • Control the operator relationship, chain of custody, and subcontractors, because POPIA security safeguards extend to vendors.
  • Ship an evidence pack with every batch, inventory, serials, method used, verification results, and certificate references.

Key takeaways:

  • POPIA is outcomes-based, you must be able to prove reasonable safeguards and a reasonable destruction decision.
  • NIST SP 800-88 is a widely used technical benchmark to structure Clear, Purge, and Destroy choices for different media.
  • Your biggest risk is process failure, missing drives, weak logging, and unclear authority, not the wipe tool brand.

What POPIA requires when you retire storage media, the non negotiables for CIOs

Two POPIA obligations matter most at end of life, retention and destruction decisions, and security safeguards. Section 14 deals with limiting retention, and when retention is no longer authorised, destroying, deleting, or de-identifying records as soon as reasonably practicable, which is directly relevant to decommissioning plans POPIA Section 14 retention and destruction obligations. Section 19 requires reasonable technical and organisational measures to secure integrity and confidentiality, and that duty does not stop when assets leave the data centre POPIA Section 19 security safeguards.

For CIOs, the practical meaning is simple, you must be able to show you knew what was on the media, you had authority to dispose of it, you chose a reasonable sanitisation method, and you kept evidence. POPIA does not give you a single mandated wipe method, but it does require you to prevent unlawful access, loss, or damage through appropriate safeguards. That pushes you toward a policy that is risk-based, repeatable, and auditable.

If you already have ISO-aligned information security controls, treat decommissioning as part of that control set, not as procurement or facilities. If you treat it as a once-off clean-out, you will not have serial-level traceability, verification, or consistent exception handling. Those gaps are what auditors and incident responders look for.

If you’re new

  • Start with a single policy that covers servers, endpoints, and backup media, even if execution is different per platform.
  • Define who can authorise destruction, and who can physically release devices to a vendor.
  • Assume that file deletion and quick format are not defensible sanitisation for personal information on retired media.
  • Put a basic chain-of-custody log in place before you touch a single drive.

If you have done this before

  • Check whether your process covers SSD and NVMe properly, legacy overwrite scripts often fail silently on modern media.
  • Audit your exception path for failed wipes and damaged drives, this is where most leak risk sits.
  • Review operator contracts and subcontractor use, especially collections and transport across sites.
  • Test your evidence pack, can you answer, which serial was destroyed, how, when, by whom, and how verified.

Quick comparison, matching risk to a sanitisation route

Use the table below as an early decision aid, then formalise it into your policy. It is framed using common NIST SP 800-88 language, Clear, Purge, Destroy, but you should align it to your own threat model and data classification NIST 800-88 media sanitization guidance.

Scenario Typical media Common approach Evidence to keep
Low sensitivity, internal reuse Endpoints, lab drives Clear or verified wipe Tool logs and sample verification
Moderate sensitivity, external resale Laptops, servers Purge, often crypto erase if properly encrypted Encryption status, key destruction, verification record
High sensitivity, regulated or breach history Core systems, backups Destroy or strong Purge plus strict custody Serial inventory, custody log, destruction certificate reference
Damaged or unreadable media Failed HDD, SSD Physical destruction Exception report, photos if policy allows, certificate reference

Build a defensible decommissioning policy, roles, operator contracts, and evidence

A defensible policy is one that still makes sense when read by someone outside IT, internal audit, legal, or the regulator. Avoid writing it as a tool guide, write it as a control framework with minimum requirements, decision gates, and required evidence. Your policy should also link to your records retention schedule and legal hold process.

In practice, your policy should define scope, what counts as storage media, how you classify data, which sanitisation options are approved, and which conditions force destruction. It should also define how you accept media back into stock, or release it to resale, donation, recycling, or scrap. If you offer resale or buy-back options, align the policy with your asset disposal partner, for example via your corporate disposal programme corporate IT asset disposal services.

Map responsibilities, Information Officer, IT, records management, legal, and vendors

POPIA governance tends to fail when ownership is vague. Your Information Officer and Deputy Information Officers typically own POPIA accountability, but IT owns execution and evidence, and records management owns retention logic. Legal should own legal hold triggers and any sector-specific retention constraints.

  • Information Officer: approves the control framework and operator governance, signs off exceptions that change risk.
  • IT operations: maintains inventory, executes sanitisation, captures logs, and controls physical handling.
  • Records management: confirms retention authorisation, and where required, disposal authority in the public sector.
  • Legal and risk: issues and releases legal holds, and defines breach escalation thresholds.
  • Operator or ITAD partner: executes contracted destruction and provides evidence, without breaking chain of custody.

Operator management, contract clauses, confidentiality, and audit rights for disposal partners

When you use an external operator, POPIA obligations do not disappear, they extend through your supplier controls. Your contract should cover confidentiality, secure handling, incident notification, and how subcontractors can be used. It should also give you audit rights, including the ability to inspect facilities or review process evidence.

  • Define accepted sanitisation methods and required verification, including how failures are handled and reported.
  • Require serial-level reporting, not batch-only certificates.
  • Specify how media is stored before processing, including access control and CCTV expectations where feasible.
  • Set requirements for transport, tamper-evident sealing, and handover signatures.
  • Require a clear incident process, including timelines for notifying you of suspected loss or compromise.

If you need help aligning your operator governance to your asset disposal workflow, route the question early to your internal procurement and risk teams, and if needed, use a specialist partner discussion via your support channel contact our team.

Media types and sanitisation choices, HDD vs SSD vs NVMe vs tapes vs mobile devices

Media type drives your technical choices. HDDs, SSDs, and NVMe behave differently, and backup media adds retention and restore requirements. Your policy should prevent a single blunt rule like overwrite everything, because it can be ineffective on some media and slow on others.

  • HDD: overwriting can be appropriate in some contexts, but you still need verification and custody controls.
  • SSD and NVMe: controller behaviour and wear levelling can make naive overwrites unreliable, vendor secure erase or cryptographic erase may be more appropriate depending on configuration.
  • Tape and removable media: tapes can be hard to verify, and physical destruction is often used for higher risk cases, but retention and legal holds are common constraints.
  • Mobile devices: treat them as storage media, because messaging, MFA tokens, and cached data can be present even after a reset.

Also map the environment. In South Africa many estates are hybrid, a SAN shelf in a data centre, laptops across branches, and offsite backups. That means your custody controls must work across multi-site collections, not just a single secure room.

Wipe, secure erase, cryptographic erase, degauss, and physical destruction, when each is appropriate

NIST SP 800-88 structures choices as Clear, Purge, and Destroy, and provides guidance and verification thinking you can use in your SOPs Clear Purge Destroy definitions. Use it to justify why a given method is reasonable for a given risk. Avoid claiming a method is automatically POPIA compliant, rather show that your method selection is risk-based and evidenced.

  • Verified wipe (Clear): suitable for lower risk reuse inside the organisation, with tool logs and sampling to prove completion.
  • Device secure erase or sanitise command: often relevant for SSD and NVMe, but require verification and a known-good execution method.
  • Cryptographic erase: can be strong if full-disk encryption was in place and keys are properly destroyed, but you must evidence key custody and destruction.
  • Degauss: may apply to some magnetic media, but it can render HDDs unusable and does not apply to all media types.
  • Physical destruction (Destroy): appropriate when the media is high risk, damaged, or cannot be reliably sanitised, and when you can maintain custody until destruction is complete.

Pay attention to encryption exceptions. If you assume everything is encrypted but your build standards were not consistent, cryptographic erase becomes weak in practice. Treat encryption status as a check, not a promise.

The decommissioning workflow, from identification to final disposal authority and reporting

Your workflow should be written like a repeatable production change. It starts with identification and retention checks, then moves into inventory capture, sanitisation, verification, and final disposition. Where the workflow breaks down, it is usually at the handovers, laptop collections, courier runs, and mixed batches.

  1. Identify assets: define the batch, location, owner, and business system context.
  2. Retention and legal hold check: confirm you are authorised to destroy or delete, or whether you must retain.
  3. Inventory capture: record asset tag, serial number, model family, and media type.
  4. Select method: choose sanitisation route based on classification, encryption status, and whether media is leaving the organisation.
  5. Execute sanitisation: perform wipe, secure erase, crypto erase, or destruction as per SOP.
  6. Verify: log success, do sampling, and record failures and rework actions.
  7. Final disposition: reuse, resale, recycle, or scrap, only after evidence is complete.
  8. Archive evidence: store logs and certificates for the defined retention period.

For public bodies, add a gate before destruction, written disposal authority may be required before records are destroyed or erased, even in digital form NARSSA disposal authority requirement. Build that approval lead time into your decommissioning calendar, because it changes how fast you can dispose of storage at scale.

Chain of custody and logging, serial numbers, handling, transport, and segregation of sanitised media

Chain of custody is where CIOs win or lose credibility. You need a single story from rack to final disposition, and it must survive staff changes. Chain of custody is also what lets you answer, was this specific drive ever missing.

  • Use tamper-evident seals for containers, and record seal numbers at handover points.
  • Separate unsanitised and sanitised media physically, with clear labelling and access controls.
  • Require dual control for high-risk batches, for example two signatures at release and receipt.
  • Record every custody event, who, when, where, and what changed hands.
  • Do not let couriers or facilities teams hold media overnight without a defined secure storage standard.

If you need a structured starting point for process documentation and controls, you can anchor it in your broader ITAD governance approach and service model professional services.

Documentation pack CIOs should require, reports, verification, and retention of evidence

Think of the documentation pack as what you would want on day one of an investigation. It should let you reconstruct what happened without asking an engineer to remember. It should also let internal audit test the control without being blocked by tool access.

  • Batch manifest: asset tags, serial numbers, media type, classification, business owner, location.
  • Retention authority record: retention schedule reference, legal hold check outcome, approvals.
  • Sanitisation record: method used, date, operator, tool or machine identifier, and pass or fail.
  • Verification evidence: sampling rate, results, and any rework actions.
  • Chain-of-custody log: every handover event, seal numbers, transport details.
  • Certificate references: certificate of destruction or sanitisation certificate identifiers, linked back to serials where possible.

South African industry guidance often reinforces the importance of an audit trail for deletion and destruction, which supports this evidence-pack approach ASISA POPIA guidelines audit trail for destruction. Keep the evidence pack retention period aligned to your risk posture and audit cycle. Do not delete the evidence faster than you would reasonably need it to defend your decision.

CIO sign off checklist for POPIA compliant IT disposal

Use this checklist as a practical sign-off gate before a disposal batch leaves your control. It is designed to prevent the most common control gaps, unclear retention authority, weak custody, and missing verification. Adapt it to your internal governance, but keep the structure consistent.

  1. Scope and classification: have we defined the batch, media types, and data classification assumptions.
  2. Retention and legal hold: is retention no longer authorised, and have legal and records teams cleared the batch.
  3. Disposal authority where applicable: if we are a public body, do we have written disposal authority from the relevant archives authority.
  4. Inventory completeness: are asset tags and serial numbers captured, and reconciled to CMDB or asset registers.
  5. Method selection: is the chosen sanitisation method documented per media type, with a reason that matches the risk.
  6. Encryption and keys: if using cryptographic erase, is encryption status confirmed, and is key custody and key destruction evidence defined.
  7. Operator due diligence: has the operator been approved, with contract clauses covering confidentiality, subcontractors, incidents, and audit rights.
  8. Chain of custody: are sealed containers, handover points, and secure storage defined, with named custodians.
  9. Verification plan: is there a defined verification step, including sampling and failure handling.
  10. Evidence pack: do we have a single file set that links serials to sanitisation results and certificates.
  11. Exceptions: do we have a plan for failed wipes, damaged drives, and drives that cannot be identified.
  12. Breach triggers: do staff know what events trigger escalation, for example a missing drive, broken seal, or unexpected data found.

Common failure modes and how audits and incident response teams see them

Auditors and incident responders generally do not start by asking which wipe product you used. They start by asking whether you can prove control and accountability. The failure modes below are the ones that tend to turn a disposal activity into a reportable incident.

Common mistakes:

  • Relying on file delete, quick format, or reimaging without a verified sanitisation method.
  • Using batch-only certificates that cannot be tied back to serial numbers.
  • Letting unsanitised media sit in offices, storerooms, or vehicles with no access control.
  • No defined exception process for failed wipes, damaged drives, or unidentified media.
  • Assuming encryption was enabled everywhere, with no evidence of key destruction.
  • Not controlling subcontractors, couriers, or offsite storage providers in the operator chain.

Also watch for preservation obligations. If there is a cyber incident, you may receive a lawful direction to preserve data, and destruction can then be unlawful or harmful to an investigation. Your process should include a stop mechanism, aligned to your legal hold workflow and applicable law, including the Cybercrimes Act framework Cybercrimes Act preservation of data direction.

If a disposal activity reveals suspected compromise, for example a missing drive or unexpected access, your incident process should route quickly to privacy, security, and legal. The operational interaction with the regulator may involve the regulator’s online services, so do not leave this as an afterthought Information Regulator eServices portal.

Frequently asked questions

Does formatting a drive meet POPIA requirements?

Formatting and file deletion usually remove pointers, not the underlying data, so they are hard to defend as a destruction step. POPIA expects reasonable safeguards and a reasonable destruction or deletion decision, so you should use a verified sanitisation method and keep evidence linked to the device.

Can we rely on full disk encryption and just destroy the keys?

Cryptographic erase can be a strong option when encryption was actually enabled and keys were properly managed, but you need proof. Treat encryption status and key custody as controls that must be verified per batch, and keep records showing when keys were destroyed and by whom.

What evidence should a CIO demand from an ITAD partner?

At minimum, require serial-level inventory, chain-of-custody events, sanitisation or destruction method, verification results, and certificate identifiers that map back to the serials. If the partner can only provide batch certificates with no linkage, your ability to prove compliance is limited.

How long should we keep certificates and wipe logs?

POPIA focuses on reasonableness, so align evidence retention to your audit cycle, incident response needs, and the period you might reasonably need to defend disposal decisions. Set a retention rule for the evidence pack itself, and apply it consistently.

We are a public sector body, can we destroy drives as soon as retention expires?

Not always, because public sector records disposal can require written disposal authority before records are destroyed or erased. Build that approval gate into your workflow and keep the authority document with the evidence pack for the batch.

Where to go next

If your organisation is turning this into a repeatable programme, treat it like an IT control with continuous improvement. Start small, pilot the workflow on a single asset class, then expand to servers, endpoints, and backup media. Keep your policy and evidence pack aligned to your broader technology lifecycle, including reuse and resale routes via your asset channels sell your items process and operational support via about our team.

Summary:

  • Run a retention and legal hold gate before any media leaves your control.
  • Select sanitisation methods by media type and risk, and document the rationale.
  • Control operators and logistics with chain of custody, not trust.
  • Keep an evidence pack that ties serials to methods, verification, and certificates.

This is educational content, not financial advice.

author avatar
Dr Jan van Niekerk Chief Executive Officer
I'm a seasoned executive leader with a deep background in Data Science and AI, and a passion for all things blockchain and crypto. I proudly hold 5 degrees to my name (Ph.D. in Computer Science (AI) and an Executive MBA) which I leverage to do things differently. I have been involved in the crypto-mining space for 15+ years, where at one point, I owned the largest individually owned crypto mining operation in Africa (bragging point). I have turned the mining operation into a commercial engine where my team and I now help people and businesses in the crypto mining space (offering a full value chain service).
See Full Bio
Crypto Mining Cryptocurreny Mining ASIC Miners Crypto Equipment Mining Pools
social network icon