What is IT asset tracking in the context of disposal?
IT asset tracking means maintaining a documented record of each device — identified by its serial number or asset tag — through every stage of the disposal process. From the moment a device is logged for retirement to the moment a destruction or recycling certificate is issued, each transfer and action is recorded and attributable.
This is distinct from asset tracking during active use, where the goal is inventory management. During disposal, the goal is chain of custody: a continuous, auditable record that demonstrates no unauthorised access, loss, or data breach occurred between the device leaving your organisation and its storage being verified as destroyed.
Why does chain of custody matter under UK GDPR?
The UK General Data Protection Regulation (UK GDPR), implemented through the Data Protection Act 2018, requires data controllers to implement appropriate measures to ensure personal data is protected. The accountability principle — Article 5(2) — requires organisations not just to comply, but to be able to demonstrate compliance.
When the ICO investigates a data breach, one of the first questions is: what happened to the device that held the data? If the answer is “we handed it to a recycler but have no documentation”, the organisation has a problem. A complete chain of custody — from internal retirement log to data destruction certificate — is the evidence that demonstrates control was maintained.
The ICO has issued fines and enforcement notices against organisations that failed to document data destruction adequately. Chain of custody documentation is not optional.
What does good IT asset tracking look like during disposal?
A robust tracking process includes:
Pre-collection manifest — before any device leaves your premises, it is logged. The manifest records: serial number, make, model, asset tag (if applicable), location, assigned user, and the data classification of information previously held on the device. This manifest is signed off by an authorised internal contact.
Collection receipt — at the point of collection, the ITAD provider issues a signed receipt confirming which assets they have taken into custody. The receipt cross-references the manifest. Any discrepancies — a device on the manifest that is not present, or a device present that is not on the manifest — are flagged and resolved before the collection team leaves.
Transfer of custody documentation — the WEEE Regulations 2013 require a waste transfer note when electrical equipment is transferred to an authorised treatment facility. This note identifies the transferor (your organisation), the transferee (the ITAD provider), the date, and the type and quantity of equipment. Retain this note.
Data destruction certificates — a certificate is issued for every device that contains or may contain storage media. Each certificate cites the specific device (by serial number or IMEI), the destruction method used, the standard to which it was performed, the date, and the name of the technician. Certificates should be received per device, not per batch.
Asset disposition report — after processing, you receive a report mapping every serial number on the original manifest to its outcome: data-wiped and refurbished, data-wiped and resold, data-wiped and recycled, or destroyed. This is your end-to-end record.
What should each certificate contain?
A data destruction certificate that will stand up to ICO scrutiny should include:
- Your organisation’s name and site address
- The ITAD provider’s name, registered address, and authorised treatment facility registration number
- Device serial number (or IMEI for mobile devices)
- Make and model
- Storage type and capacity (where known)
- Data destruction method (overwrite, degauss, shred)
- Standard applied (HMG IS5, NIST 800-88, or equivalent)
- Date of destruction
- Technician name or identifier
- Provider’s authorised signature or stamp
Certificates that list only “batch X, 50 devices, wiped” without individual serial numbers do not provide adequate evidence for UK GDPR accountability.
How does asset tracking support WEEE compliance?
The WEEE Regulations 2013 require business waste producers to transfer electrical and electronic equipment waste to an authorised treatment facility and to retain documentation of that transfer. The waste transfer note is the primary document.
Beyond the transfer note, WEEE compliance depends on being able to demonstrate that equipment classified as waste was treated by a licensed facility and that any hazardous components were handled appropriately. An asset disposition report that shows each device was processed — not just collected — provides that evidence.
Integrating disposal tracking with your asset register
Many organisations maintain an asset register or configuration management database (CMDB) throughout a device’s active life. Disposal tracking closes the loop: when a device is retired and disposal is complete, its serial number should be updated in the register with a status of “disposed”, the disposal date, the ITAD provider, and a reference to the data destruction certificate.
This integration prevents the common problem of “ghost assets” — devices that appear active in the register but are physically absent. Ghost assets create audit risk and can obscure genuine losses.
Our IT asset disposal service includes a full asset disposition report on every collection, designed to map directly to your internal asset register. For more detail on how we handle the full disposal chain, read our overview of what ITAD involves.