Data-Containing eWaste Prep
Phones, routers, and printers often leave your building with more data on them than a laptop, because they are treated like appliances, not endpoints. In South Africa, that creates a practical security risk and a POPIA audit risk when e-waste collection day arrives.
By the end of this article you will have a repeatable sanitisation process, plus device-specific minimum steps for iPhone, Android, common router types, and printers or MFPs. You will also know what evidence to keep, what to hand to the recycler, and what to do when a device cannot be powered on.
Note for South Africa:
- POPIA expects you to dispose of personal information safely when you are no longer authorised to keep it, and disposal should prevent reconstruction in an intelligible form.
- Branch offices and small IT teams are common, so the process must be simple, role-based, and auditable, not dependent on one specialist.
- Refurbishers and recyclers may ask for proof, so plan chain of custody and a certificate of sanitisation approach before pickup day.
At a glance:
- Start with an inventory and risk tier, then pick Clear, Purge, or Destroy levels per device and data type.
- For phones, remove account locks (Activation Lock, FRP) before wiping, or you will create disputes and delays at handover.
- For routers, do not assume a button reset removes stored credentials, keys, certificates, or cloud management links.
- For printers and MFPs, identify whether there is internal storage, then use built-in secure erase features where available and plan downtime.
Key takeaways:
- Sanitisation is a program, not a one-off factory reset.
- Verification and records matter as much as the wipe itself.
- When you cannot wipe, you need an escalation path to physical destruction or controlled component removal.
Why e-waste is a data risk, and what POPIA expects (plain-English summary)
Data-bearing e-waste is not only laptops and servers. Modern phones retain app data and authentication tokens, routers retain VPN credentials and admin passwords, and printers retain address books, scan-to-email settings, and sometimes job images on internal storage.
From a POPIA point of view, the practical requirement is that once you are no longer authorised to keep personal information, you must dispose of it in a way that prevents it being reconstructed in an intelligible form. This is why IT disposal needs a defensible method, not a casual reset, and why you should align disposal timing with your internal retention rules.
Use POPIA Section 14 as the anchor for your policy language, then translate it into controls that your team can execute consistently. When auditors ask, you want to show what you did, who did it, when it happened, and what evidence confirms the device did not leave with readable data.
Helpful reference points for terminology and assurance come from sanitisation guidance such as NIST SP 800-88, which frames sanitisation decisions and validation as an organisational program rather than an ad hoc action. Even if you do not copy NIST language into policy, it helps you explain why some devices need stronger handling than others.
| Device scenario | Typical data risk | Minimum control | When to escalate |
|---|---|---|---|
| Employee phone | Accounts, tokens, messages | Remove locks, wipe, verify setup screen | Device is lost, locked, or cannot boot |
| SMB router | Admin creds, WiFi keys | Factory reset plus check cloud links | Stored certs, VPN keys, logs present |
| Enterprise router | Keys, certificates, config archives | Secure erase option where supported | Regulated data, high assurance needed |
| Printer or MFP | Address book, scan logs, job cache | Run secure erase feature if available | Internal drive present, cannot run erase |
Build a repeatable device sanitisation process (policy, roles, tools, records)
A repeatable process is what turns good intentions into safe outcomes. You need a small set of rules that apply to all devices, and then model-specific steps that sit underneath those rules.
Keep the policy short and operational. Define who can approve disposal, who can wipe, who can verify, and who signs off chain of custody. If you use a third party for IT asset disposal, align their paperwork to your internal controls, and consider using a service designed for this, for example corporate IT asset disposal.
If you’re new
- Start with a pilot, one branch, one device type, one recycler, and learn the failure points.
- Do not mix wiping and packing roles on the same day, separate duties reduces missed steps.
- Assume device menus differ by model and firmware, build a short per-model cheat sheet as you go.
- Create a single shared folder for evidence, and define who can access it.
- Set a simple rule for exceptions, if it cannot be verified, it cannot leave.
If you have done X before
- Review your last disposal batch for disputes, iCloud locks, FRP locks, missing chargers, or missing serials, then update the checklist.
- Add a risk tiering step, not all devices should get the same sanitisation strength.
- Check whether printers were included last time, they are often missed.
- Validate your records retention, keep evidence long enough to meet your audit needs, but do not keep it forever without purpose.
- Confirm your recycler’s chain of custody and documentation, and test it with a small pickup first.
In practice, most teams implement three tiers. Tier 1 is low-risk, standard clear and reset steps. Tier 2 is elevated risk, stronger purge steps where supported. Tier 3 is destroy, for devices that cannot be wiped, or where policy requires physical destruction.
Tools and artefacts to standardise include asset tags, tamper-evident bags, a camera for serial photos, and a simple chain-of-custody form. Where the device supports it, capture a screenshot or log entry showing a wipe completed, but avoid capturing personal data in the evidence itself.
Common mistakes
- Relying on a basic factory reset without removing account locks first, then the device is unusable for refurb or testing.
- Forgetting to remove devices from MDM, cloud dashboards, or VPN controllers, which can leak metadata or allow re-enrolment.
- Not checking printers for internal storage, then sending a data-bearing device out as ordinary e-waste.
- Mixing wiped and not-yet-wiped devices in the same box, which breaks chain of custody.
- Keeping no evidence beyond an email, then you cannot prove what happened later.
Phones (iPhone and Android), the minimum safe prep steps before recycling
Phones are deceptively complex because of account protections. The data wipe can be technically sound, but the device can still be linked to a personal account, which creates operational disputes at handover and increases the chance that someone tries to bypass controls.
For managed fleets, align the steps with your MDM process. If you are not sure whether the device is managed, treat it as managed until proven otherwise, and check your device management console before you wipe.
- Inventory the device, record serial or IMEI, and link it to a user and a ticket.
- Back up business data you are allowed to keep, then remove work profiles or enterprise containers as per policy.
- Remove the device from MDM or management where applicable, and confirm it is not assigned to a user anymore.
- Remove SIM cards and label them for return to the business, and handle eSIM per vendor prompts.
- Perform the erase, then verify the out-of-box setup screen appears.
iPhone and iPad, sign out, disable Activation Lock, erase, verify
For Apple devices, the practical goal is to ensure Activation Lock is removed, and the device is erased before it leaves your custody. Apple’s own checklist is a good baseline because it aligns the user-facing steps with the security feature behaviour, including the prompt around eSIM profiles on supported devices, see Apple steps before selling or recycling an iPhone.
In an IT-managed environment, a remote wipe may be appropriate, but you still need to confirm the wipe actually executed. Apple’s deployment guidance covers common erase paths used by IT teams, including MDM-driven actions, see remote wipe via MDM for Apple devices.
- Confirm you can authenticate if the device prompts for an Apple ID during sign-out, do not start the process if you cannot complete it.
- Sign out of the Apple ID used on the device, and ensure Find My is not keeping the device linked.
- Run the built-in erase function, and choose the option that removes the device content, and where prompted, also remove the eSIM profile if that aligns with your telecom process.
- After erase, verify the setup assistant appears and that the device is not requesting the previous owner’s Apple ID.
- Record evidence, a photo of the setup screen plus serial label photo is often enough for internal audit without exposing personal data.
Android, remove accounts to avoid FRP, factory reset, SIM and SD handling
On Android, the common failure mode is Factory Reset Protection, where a device reset still requires the previous Google account to be entered during setup. The operational goal is to remove account ties and work profiles before wiping, then verify the device can be set up without the previous user’s credentials.
- Remove or sign out of Google accounts associated with the device, and remove any work profile or enterprise management as per your MDM process.
- Remove SIM cards and any microSD card, then treat the microSD as separate removable media with its own sanitisation step.
- Perform a factory reset from the device settings when possible, then confirm the device returns to the initial setup flow.
- After reset, verify you are not being asked for the previous account during setup, if you are, stop and escalate before the device leaves custody.
- Record who performed the steps, date, and verification outcome.
Where a phone cannot be accessed, for example forgotten PIN and no MDM control, treat it as an exception. Your policy should define when you choose refurbishment, when you choose recycler-led destruction, and when you choose in-house physical destruction under controlled conditions.
Routers and network gear, wiping configs, credentials, and cloud management
Routers and related network devices are often decommissioned when branches change ISP, upgrade WiFi, or close down. That makes them frequent e-waste items, and they can retain sensitive configuration such as VPN keys, admin credentials, certificates, and logs.
The key decision is whether a basic factory reset is enough for the device and the data it holds. For some enterprise platforms, vendors document a secure reset option that aims to clear persistent storage more thoroughly than a standard reset, which is closer to a purge style approach.
- Before wiping, export any configuration you are allowed to retain, store it securely, and control access.
- Remove device entries from cloud management portals, controller platforms, monitoring tools, and password vaults.
- Identify whether the device stores certificates, VPN keys, or user databases locally, if yes, plan a stronger sanitisation step.
- Perform the reset or erase, then verify the device boots to a default state with no startup configuration.
- Label the device as sanitised, seal it, and keep it separate from devices awaiting wipe.
SMB routers vs enterprise routers, factory reset, config erase, and what to check
On SMB routers, the most common mistake is resetting but forgetting cloud management links or remote admin exposure that can persist through user error, not device behaviour. Treat the reset as one step, then validate that the router no longer has your organisation’s SSID, admin password, or WAN settings, and that it is not still registered to a cloud dashboard.
For Cisco IOS-style decommissioning, vendor documentation typically focuses on erasing startup configuration and reloading without saving. Use the vendor procedure as your baseline for that platform, see Cisco factory default reset procedure.
Some platforms document a secure factory reset mode that aims to clear more persistent storage in line with NIST Clear and Purge concepts. If your router supports a secure wipe command, use it when your risk tier requires it, and plan for the time and irreversibility, see factory-reset all secure and NIST purge clear.
- Check for removable storage, USB sticks, or LTE modules that may store logs or profiles.
- Clear locally stored certificates and keys where the platform allows, or choose a secure erase option if available.
- Verify no config archives remain on flash, and that no startup-config is present after reboot.
- Confirm the device is removed from your inventory, monitoring, and any cloud or controller system.
Printers and MFPs, the hidden hard drives, address books, logs, and secure erase
Printers and MFPs are among the most overlooked data-containing assets in branch offices. They can store address books, scan destinations, authentication settings, and in some designs they store job data on internal storage.
Your first task is not wiping, it is discovery. For each model, confirm whether it has an internal HDD, SSD, or only volatile memory, and what sanitisation features exist in the admin menus or management tools. Do not generalise across brands or even across model lines.
- Inventory printer and MFP models, and note which sites they are at and who can administer them.
- Back up only the settings you are authorised to keep, such as address book exports for migration, and store them securely.
- Remove credentials and network configuration, including scan-to-email accounts and SMB shares.
- Run the vendor secure erase features where available, and do not interrupt the process once started.
- After sanitisation, validate the device has been reset to default and does not retain your organisation’s address book or destinations.
Xerox, Ricoh, HP examples, disk overwrite, erase all memory, secure file erase
Xerox documents disk overwrite features for certain printer families, including immediate or scheduled overwrite, and notes operational impacts such as devices going offline and the process not being cancellable. Use this kind of vendor guidance to plan downtime and avoid someone power-cycling a device mid-wipe, see Xerox disk overwrite feature for printers.
Ricoh documents an Erase All Memory function that can remove items like address book data and network settings, and warns against interrupting the process. This is a good example of why your checklist needs a verification step and a warning about downtime and power stability, see Ricoh Erase All Memory steps.
HP documents secure file erase and disk wipe options, and notes that more secure modes may take significantly longer and can be managed through tools such as the Embedded Web Server or management software. The practical point is to schedule the wipe, and to choose a level that matches your risk tier, see HP secure file erase and disk wipe.
- Before running erase, ensure the printer is on stable power, if load shedding is a concern, schedule within a protected window or on a UPS.
- Confirm which features are enabled, job retention, scan storage, fax storage where relevant, and clear those stores explicitly.
- After erase, re-check address book entries and scan destinations, they should be empty or default.
- If the device has removable storage, remove it and treat it as separate media for sanitisation.
If you are upgrading or buying replacements, plan secure disposal as part of the project, not as an afterthought. That is also a good time to source the right accessories, cables, labels, or secure storage items from your internal supplier list, or from a trusted store such as our shop, then align the handover schedule with IT availability.
Device Recycling Data-Removal Checklist (one-page)
Use this checklist as a one-page operational control. Print it, or turn it into a ticket template, but keep the fields consistent so you can report on compliance.
1) Pre-wipe (inventory, risk, backups, management removal)
- Inventory: Record device type, make, model, serial, and site, take a photo of the serial label.
- Risk tier: Mark Tier 1, Tier 2, or Tier 3 based on data type and business impact.
- Backups: Back up only what you are authorised to retain, store securely, and log location.
- Remove from management: Remove from MDM, monitoring, cloud dashboards, and asset registers as appropriate.
- Collect accessories: SIM, SD cards, USB sticks, paper trays with stored items, and label separately.
- Assign roles: Wiper name, verifier name, and planned handover date.
2) Wipe steps by device type (and verification)
- Apple phones and tablets: Confirm Activation Lock removed, erase using built-in function, verify setup screen, evidence captured.
- Android phones: Remove Google accounts and work profiles to avoid FRP, factory reset, verify setup without prior account, handle SIM and SD separately.
- Routers: Erase startup configuration and reload, or use secure erase option where supported, verify default state, remove from cloud management.
- Printers and MFPs: Identify internal storage, run vendor secure erase, clear address book and destinations, verify defaults restored.
- Verification tick-box: Wipe completed, verification completed, evidence stored, exceptions logged.
3) Handover (bagging, sealing, chain of custody, documentation)
- Bag and seal: Place sanitised devices in tamper-evident bags or sealed boxes, label as sanitised with date and verifier.
- Segregate: Keep sanitised and unsanitised items physically separate at all times.
- Chain of custody form: Record pickup time, driver details, recycler details, seal numbers, and item count.
- Recycler documentation: Request a certificate of sanitisation or destruction appropriate for your audit needs.
- Retention: Store records for your defined internal retention period and align it with POPIA retention and disposal principles.
If you want help designing a branch-friendly process, including labelling, packing, airflow planning for secure storage rooms, or just to sanity-check your workflow, use our contact page to reach the team.
Handover to recycler, chain of custody, proof of sanitisation, and what not to do
Handover is where good technical work can be undone. The moment devices leave your custody, your ability to correct a missed step drops sharply, and your risk becomes a documentation problem as much as a technical one.
Ask your recycler or refurbisher upfront what they need. Some will reject devices that are iCloud-locked or FRP-locked because they cannot validate them, and some will not accept certain assets without a clear sign-off trail.
- Use a pickup appointment window when IT staff can be present, do not rely on reception handover.
- Seal boxes and record seal numbers on a chain-of-custody form.
- Do not include printed passwords, network diagrams, or spare keys in the same boxes as devices.
- Do not assume the recycler will wipe for you, treat recycler wiping as a second line of defence, not your primary control.
- For exceptions, document why the device could not be wiped and which destruction route was chosen.
For compliance language, tie your process back to your POPIA retention and disposal requirement, and keep the reference in your policy. A readable reference for the retention and destruction requirement is available via POPIA Section 14 retention and destruction requirement, then align your internal procedure to what you can actually execute.
For best-practice sanitisation program concepts and validation, NIST SP 800-88 is a commonly cited reference point. You can use it as a framework for your tiers and evidence approach, see NIST SP 800-88 media sanitization guidance.
If you need an internal landing page for staff, point them to a single source of truth. You can host your own SOP, and link related internal guidance, plus a short explainer on what your business offers via professional services and the rest of your knowledge base in Insights.
Frequently asked questions
Is a factory reset always enough before recycling?
No. A factory reset may clear user-facing configuration, but some devices retain data in different places, or remain linked to accounts or management platforms. Use a risk tier approach, and verify per model and firmware rather than assuming.
What proof should we keep after sanitisation?
Keep enough to show that the device was identified, wiped, and verified by an authorised person, on a specific date, then handed over under chain of custody. Common evidence is serial photos, a checklist with signatures, and a screenshot or log that confirms a wipe completed, without capturing personal data.
What do we do with devices that cannot power on?
Treat them as exceptions and escalate to a destroy pathway under your policy. Document the failure, the decision, and the destruction method, then ensure the recycler can provide suitable destruction evidence for audit.
How do we avoid iCloud or FRP lock problems at handover?
Make account lock removal a mandatory step before the wipe, not a troubleshooting step after. On Apple, confirm Activation Lock is removed and the device is not linked to the prior account, on Android, remove Google accounts and work profiles to avoid FRP, then verify the device can reach the setup screen cleanly.
Do printers really need the same attention as PCs?
Often yes. Many printers and MFPs store address books, destinations, and sometimes job data, and those items can include personal information and credentials. Treat printers as data-bearing assets and use the vendor security maintenance features where available.
Summary:
- Start with inventory, risk tiering, and role separation, then apply device-specific wipe steps.
- Remove account locks and management links before wiping, especially on phones and routers.
- Identify printer storage and run built-in secure erase features, planning downtime and stable power.
- Verify results, capture minimal evidence, and control chain of custody through pickup and destruction.
This is educational content, not financial advice.
