Jun 22, 2021
Responsible Use and Recycling or R2 Standard focuses on regulating the impact of electronics refurbishing and recycling on the environment and workers associated with the e-recycling industry. Originated in North America in 2008— the Standard is widely adopted by electronic recyclers, including IT Asset Disposition companies (ITADs), refurbishers and resellers for sustainable electronics recycling in an eco-friendly way through the Test, Repair, Reuse, and Recycling stages.
R2v3, released in July 2020 by Sustainable Electronics Recycling International (SERI), is the second major revision or upgrade of the R2 Practices since 2013, when the first revision was released. According to the R2 version 3.0 documentation (© SERI, 2020: The R2 Standard by SERI Version 3 (R2v3)), R2 certification can help IT asset managers, buyers of IT asset destruction, refurbishing and remarketing services, and recyclers to reinforce confidence on sustainable & safe management of used electronics equipment. Further, ITAD companies having R2v3 certification are in a stronger position to assure customers of the efficacy of their data destruction practices.
This article outlines the R2v3 core requirements, focusing on the “Data Security” requirement that chiefly concerns the IT asset destruction industry.
The R2v3 requirements span ten different areas, ranging from scope, responsible e-waste management strategies, and legal requirements to data security, facility requirements, and more. The following is a brief outline of the latest R2v3 requirements:
This requirement mandates an R2 Facility to determine and certify the processes, electronic equipment, component, and material streams managed. It also brings activities like collection, renewal, repair, remarketing, disintegration, asset recovery, brokering, and recycling of used electronic items within the scope of R2v3 certification.
2. Hierarchy of Responsible Management Strategies
This requirement area specifies the need for developing and adhering to a policy for managing used and end-of-life electronic equipment, components, and materials. It mandates the policy to include hierarchical & responsible management strategies that prioritize reuse, followed by recovery and recycling.
3. EH&S Management System
This requirement area in R2v3 directs the R2 Facility to maintain a certified Environmental, Health, and Safety Management System (EHSMS) that allows planning, implementing, and monitoring the environmental, health, and safety practices w.r.t the safety of workers, the public and the environment under both normal and exceptional circumstances. It requires an R2 facility to periodically review and evaluate associated risks of exposure to hazardous substances like mercury, lead, beryllium, cadmium, etc.
4. Legal & Other Requirements
This requirement in the R2v3 Standard focuses on meeting compliance with the prevailing laws for environmental safety, health, and data security concerning the processing, transit, and import or export of electronic equipment, components, and materials.
5. Tracking Throughput
As per this requirement area, an R2 Facility shall record and manage the throughput of all electronic equipment, components, and materials and keep adequate documentation mentioning the details of the movement of all the electronic items.
6. Sorting, Categorization, and Processing
This area defines the requirement for assessing, organizing, and categorizing the electronic equipment as per the R2 Equipment Categorization reference. An R2 Facility is required to develop and maintain a process document in order to conduct sorting and categorization of electronic equipment before it gets processed. It also requires defining of instructions and criteria considering if the components can be reused basis their physical conditions and functionality.
7. Data Security
This R2 Facility is required to maintain high standards of data security by ensuring the high levels of security and sanitization of all data storage devices based on the device type and data sensitivity. Meeting the R2v3 “Data Security” requirement is crucial for attaining safe and compliant data destruction outcomes. And therefore, the requirement is a critical consideration area for ITAD companies wanting to scale up their practices and attain compliance in line with R2 version 3. In a later section, we cover the R2v3 Data Security requirement, including critical updates that impact ITAD operations.
8. Focus Materials
This requirement is concerned with the management of on-site processes and hiring of e-recycling vendors to ensure that the focus material passing through the facility does not affect the health and safety of workers, the public, and the environment.
9. Facility Requirements
As per this requirement, the R2 Facility should process and store electronic equipment, components, and materials in a legally compliant manner. Also, the processing and storage of electronic equipment should not affect the health and safety of workers, the public, and the environment.
This area specifies the standards for safe and legally compliant transportation of electronic equipment, components, and materials considering physical media and data security, workers’ health and safety, and environmental impact.
The Data Security requirement (Core 7) identifies four areas for meeting R2 compliance, namely—
This aspect emphasizes the need for detailed documentation on the data sanitization plan and procedures. The documentation should comprise the following details:
The Requirement also mandates a written and maintained data security policy to govern the following actions:
The Security aspect of R2v3 deals with controlling physical access to the data storage devices in an R2 Facility as per the following guidelines:
This aspect focuses on defining the processes followed for receiving and sanitizing data storage devices, including process audit, as follows:
This aspect of the R2v3 Data Security requirement mandates the R2 Facility to have a process for notifying the suppliers, legal authorities, and other third parties in the event of —
The R2v3 Standard provides specific guidelines for data sanitization using physical destruction and logical sanitization (data erasure) methods. Adhering to these methods is crucial for ITAD companies seeking compliance with the R2v3 Standard.
While the R2 physical destruction requirements are primarily based on NIST SP 800-88 Guidelines, the data erasure guidelines are specific to the R2 Standard and apply to particular areas, as follows:
a) Data Erasure Software:
The data erasure software used should wipe all user addressable memory locations on the data storage media. Also, the software should be able to fail the media if it cannot erase any user-addressable memory location.
b) Electronic Records of Data Sanitization:
Electronic data erasure records should be maintained for all the storage devices logically sanitized (overwritten) using the data erasure software. The wiping records should map to the unique identifier for the data storage media.
c) Removal of Login & Passwords:
R2 requirements for data erasure mandate removal of all the logins, passwords, locks, or any other mechanism that could allow access to the storage media.
The R2 Standard defines sweeping requirements to help IT asset destruction, e-recycling, and refurbishing companies meet the prevailing norms for environmentally safe and sustainable e-recycling practices.
“Data Security” or Core 7 is a critical requirement in R2v3, focusing on maintaining data security by sanitizing the used or end-of-life data storage devices. The requirement specifies physical destruction and data erasure as the two methods for media sanitization. Further, it emphasizes the need for effective sanitization (i.e., erasure of all user addressable memory locations) and electronic data erasure records.
Professional data erasure software can help ITAD companies meet compliance with logical media sanitization standards as per the R2v3 Data Security requirement. By wiping all addressable memory locations, including the hidden areas, and generating tamper-proof digital reports of erasure, the tool can help ITADs meet R2v3¬ data security compliance and data sanitization process requirements. To know more about how software can help you comply with R2v3 standards, you may write to email@example.com.
BitRaser is NIST Certified
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|