The problem with “recycled” computers
When an organisation retires a computer — a desktop, laptop, or server — and sends it to a recycling centre or donates it, the assumption is often that the device is blank. It rarely is.
Research by independent security organisations over many years has found personal data — sometimes including financial records, medical files, and login credentials — on computers purchased second-hand from online marketplaces, charity shops, and IT resellers. The previous owners believed their data had been removed. In many cases, the drives had only been formatted, or the operating system had been reinstalled.
A formatted drive is not a wiped drive. A reinstalled operating system does not remove the data underneath it. Recovery tools — available free online — can retrieve files from drives that have been formatted, deleted, or even had a new operating system installed.
What data is typically at risk?
A business computer reaching end of life may contain:
- Customer and client records (names, addresses, contact details, purchase history)
- Employee personal information (payroll data, HR records, performance reviews)
- Financial data (invoices, bank details, accounting records)
- Intellectual property (contracts, proposals, internal strategy documents)
- Credentials and authentication tokens (saved passwords, VPN certificates, session data)
- Email archives containing any or all of the above
Under UK GDPR and the Data Protection Act 2018, personal data in any of these categories is subject to legal protection. Allowing it to leave your organisation’s control on an unwiped device constitutes a data breach — and could result in enforcement action by the Information Commissioner’s Office (ICO).
What happens to data during the recycling process?
This depends entirely on the recycling route you use.
General WEEE recycling without data destruction:
If a device is sent to a general e-waste recycler that does not offer data destruction, the drive will typically be removed and shredded along with other materials — but only after the device has passed through a facility where other people handled it. The data risk during that transit period is real.
Refurbishment and resale:
Some recyclers refurbish computers and resell them. If the drive is not wiped before refurbishment, the new user may be able to access the previous owner’s data. Reputable refurbishers wipe drives as a matter of course, but standards vary widely.
Donation without data destruction:
Computers donated to schools, charities, or community groups are sometimes set up directly without the previous user’s data having been removed. This is a well-documented source of data breaches in the charitable sector.
Certified IT asset disposal (ITAD):
A certified ITAD provider carries out data destruction — either wiping or shredding — before the device enters the recycling or refurbishment stream. The provider issues a certificate of data destruction as evidence. This is the only route that provides compliance assurance.
What should happen before a computer is recycled?
Before any computer leaves your organisation’s control, the following must occur:
- Data destruction: The drive must be wiped to a certified standard (NIST SP 800-88 or NCSC guidance) or physically shredded. Deletion and formatting are not sufficient.
- Verification: For software wiping, a verification report must confirm every sector was overwritten. For shredding, the chain of custody must be documented.
- Documentation: A certificate of data destruction must be issued and retained as compliance evidence.
- WEEE-compliant disposal: The hardware must be routed to an authorised treatment facility under the WEEE Regulations 2013, not sent to general waste.
For a step-by-step guide to wiping a laptop specifically, see our article on how to wipe a laptop before recycling.
Does the type of storage affect the risk?
Yes, significantly.
Traditional hard drives (HDDs): Data is written magnetically to spinning platters. Standard deletion leaves the data fully intact. Certified software wiping or physical shredding addresses this reliably.
Solid-state drives (SSDs): Data is stored in NAND flash memory. Standard overwrite tools may not reach all storage areas due to wear levelling. Certified firmware-level commands (ATA Secure Erase, NVMe Sanitise) or physical shredding are required. Degaussing has no effect on SSDs.
Hybrid drives: Contain both a magnetic platter and flash cache. Both components require treatment.
Understanding which type of drive a computer contains is the first step in selecting the appropriate destruction method.
The accountability gap in common practice
Many businesses believe they are compliant because they have “recycled” their old computers through a local scheme or donated them to charity. The accountability gap is this: unless they have a certificate of data destruction — a document recording what was destroyed, how, and when — they cannot demonstrate compliance if challenged.
The ICO’s accountability principle is explicit: data controllers must be able to demonstrate that they comply with the data protection principles, not simply assert it. “We recycled the computers” is an assertion. A certificate of data destruction is evidence.
For more on what the certificate should contain, see our guide to certificates of data destruction.
How Recycle4Charity handles data when recycling a computer
Recycle4Charity is a London-based Community Interest Company that collects computers and other IT equipment from businesses, carries out certified data destruction — wiping or shredding as appropriate — and issues a certificate of data destruction for every collection. Devices that pass wiping and a hardware quality check are donated free to digitally-excluded Londoners. Those that cannot be refurbished are recycled through WEEE-compliant routes.
Visit our data destruction for business page to find out more, or contact us to arrange a collection.