Secure collection, data erasure, reuse and recycling of computers, monitors and tablets

Groups: 
  • End of Life Management
Category: 
  • Reuse and recycling

Basic

Requirements and Criteria Type: 
  • Technical Specification (Requirement Specifications)

Main Objective: 

The main purpose is to ensure reuse and recycling of ICT equipment and to prevent electronic waste from ending up in scrap heaps or being incinerated. Electronic waste is the fastest growing waste stream in the world, causing pollution, human health hazards, and the loss of valuable resources such as gold, copper and rare earth metals.

Requirement Specification: 

The supplier (or the supplier’s subcontractor) shall provide a reuse and recycling service that at least includes the following:

  1. Collection of electronic devices in secured lockers
  2. Secure data erasure and de-identification of electronic devices that are collected
  3. Ombruk av elektronisk utstyr
    • Used electronic devices shall be prepared for reuse, as far as the device is or can relatively easy be set in state for reuse by the supplier (or the supplier’s subcontractor).
  4. Recycling

This requirement does not cover security-rated information. Security-rated information applies to information that may harm national security interests if it becomes known to unauthorized persons. This applies to information that, among other things, is produced by police and defense authorities. ICT equipment with security-rated information must be handled in accordance with the Security Act (Sikkerhetsloven).

Documentation of the Requirement Specification: 

The supplier shall confirm that the requirements are met and submit the following:

  • If a subcontractor is to be used, a declaration of commitment from him/her must be attached, in accordance with Regulations on public procurement §16-10 (2). 
  • Documentation that there will be used data erasure software that have been evaluated to be suitable for secure data erasure. The software can be evaluated by for example National Security Authority (NSM) or other actors. See list of NSM approved tools. Examples of other evaluated data erasure software can be found at Common Criteria which publishes certificates from all certificate issuing nations under the Common Criteria Recognition Arrangement (CCRA).
  • Documentation confirming that electronic devices will be prepared for reuse (e.g. function tests or a description of max. 1A4-page).
  • Documentation (contract, e-mail or other relevant document) confirming membership in a return company in the Norwegian Environment Agency’s register or, alternatively documentation that another company acting in compliance with the Pollution Control Act will handle the electronic waste.
  • Signed version of [enclosed data processing agreement. Difi's data processing agreement can be used: It is currently undergoing updates but is quality assured and can be used in its current edition].

The following shall be submitted no later than 45 days after collection of ICT devices

  • Report on brand, model, serial number and date for data erasure of all collected devices.

 

Information about the Requirement Specification: 

The contracting authority risks a responsibility if they do not deliver their used ICT equipment to a supplier who is a member of an approved return company or or to a company that is given permissions to treat such waste from the Pollution authorities.

The contracting authority must choose whether to purchase services described in this requirement as part of the procurement of ICT equipment or as a separate procurement. If the procurement of ICT equipment and the procurement of services for data erasure, reuse and recycling of ICT equipment are made in the same notice, it should be stated clearly that it is possible to offer a tender on the entire or on parts of the procurement. The requirement is designed to also apply to electronic equipment that the client wants to get rid of besides PCs, monitors and tablets (for example printers, which also have storage media).

Secure deletion is essential for the security and compliance of the GDPR. A signed data processing agreement will further ensure that personal data is processed in accordance with regulations. For ICT equipment that is functionally intact, reuse will usually be far more environmentally friendly than material recycling.

If the supplier itself has imported the ICT equipment to be processed, to Norway, it is required that the supplier should be a member or should become a member of a return company that has been approved by the Norwegian Environment Agency at the latest on the signing of the contract. The supplier can also be a member of a recycling company if they have not themselves imported the ICT equipment to be processed to Norway.

The requirement has been prepared with input from the Norwegian Environment Agency and the National Security Authority (NSM).

Handling of ICT equipment that is security-rated is subject to the Security Act, which requires stricter handling of the ICT equipment than what is covered in this requirement. For more information on handling security-rated equipment, see NSM's Guide to Handling and Protecting Security-Rated Information (see "Related Links" below).

Related links: 

Published: 20. Sep 2019, Last modified: 10. Oct 2019