Below is an extract from the Electronic Communications networks and Services, Privacy and Communications, Regulations 2011 Section 16 clearly outlining what must be done with all electronic devices before disposal.
16. Disposal of equipment
When disposing of obsolete or redundant equipment many data controllers offer the equipment for sale to staff or donate to charities. It is the responsibility of the data controller to ensure that all data previously stored on the devices has been removed prior to disposal. It is not sufficient to merely format the hard drives on the devices, as data can still be retrieved. Software is available and will overwrite the contents of the hard drive with a series of 1’s and 0’s to ensure that previous data cannot be retrieved. Dependent on the nature of the data stored, it is recommended that hard drives should be overwritten between three and five times.
Where the devices are not being recycled/reused the hard drives can either be physically destroyed or degaussed (see note 4).
It is important to consider the different types of equipment that may hold personal data. Besides obvious examples, such as servers, computers and laptops, there are a number of other devices that may store personal data. These may include smart phones, Tablets, Digital camera’s, digital photocopiers, fax machines etc. Any data stored on these devices must also be erased prior to disposal.
4. A method of erasing data from a magnetic storage device.
(Electronic Communications networks and Services), (Privacy and Communications) Regulations 2011 Section 16).
Failure to adhere to such regulations may lead to future litigation for your business.