What Are The SERI R2V3 Data Sanitization Requirements Under Appendix B?

Summary: The R2V3 (Responsible Recycling) standard, established by SERI, includes strict guidelines and requirements for data sanitization in Appendix B. These requirements are intended to ensure that all data (PII, Confidential, Licensed information, etc.) on the devices is completely erased and cannot be recovered. An R2-certified facility has to strictly adhere to the data sanitization plan and procedures in the Core 7 requirement. Read this article to understand SERI R2V3 data sanitization requirements under Appendix B.

The SERI R2 standard is a set of guidelines for the responsible recycling of electronic equipment. R2V3 is the third version of the standard, which became effective on July 1, 2020. Appendix B of the R2V3 standard provides guidelines for data sanitization, which is the process of permanently wiping data from electronic devices before they are recycled or resold. The general principle of R2V3 Appendix B is “To recognize organizations that maintain enhanced data security controls and perform physical or logical data sanitization in accordance with best practices, where data devices are managed to the highest level of sensitivity as required by the supplier or regulation.”

R2V3 Appendix B: Data Sanitization Requirements

Data sanitization is a part of Core Requirement 7 (Data Security) of the SERI R2 standard. Appendix B covers data sanitization in depth, focusing on logical data sanitization, increased security, and device tracking. It also mentions physical sanitization for devices that need to be physically destroyed as per requirements. Some specific requirements for R2 facility running ITAD operation need to follow as per Appendix B:

• Methods to distinguish sanitized and data-bearing devices and documented quality control for verifying the data sanitization process.
• All devices processed must follow a consistent sanitization method, and the data should be sanitized from the storage device.
• Remedial actions must be taken in devices where sanitizing cannot be verified.
• Maintaining records of the data sanitization process, including the type of equipment or media sanitized, the specific sanitization method used, and the date and results of the verification process.
• Training and evaluating data sanitization personnel to perform the specific data sanitization procedures, including any necessary modifications as and when processes revise as per data storage devices and sanitization methods change.
• Implementing, testing, and maintaining effective security procedures corresponding to the sensitivity classification of the storage media.
• All data-bearing devices must be in a secure facility with alarms, CCTV systems (with at least 60 days of recordings), access control, and inventory tracking of data-bearing devices at all times.
• Data sanitization services outside the accredited R2 facility must also comply with Appendix B and Core Requirement 7.

SERI R2 standard also defines physical sanitization (Destruction) and logical sanitization (Erasure). 

What are the Physical Sanitization Requirements for R2V3 Compliance?

The physical sanitization requirements for R2V3 compliance include the following:

• Physically destroying the device using the methods provided in the table.

Table - Physical Destruction Methods (Source: The Sustainable Electronics Reuse & Recycling (R2) Standard)

• R2V3 SERI also approves the methods listed in the NSA (National Security Agency) Storage Device Sanitization Manual, Dec 2020.
• Any other method that a competent expert has independently verified to be an effective method of physical sanitization.
• The physical destruction method can be more stringent if required by customers or regulations.
• R2V3 compliance requires facilities to record and store video proof of physical destruction for at least 60 days.

What are the Logical Sanitization Requirements for R2V3 Compliance?

Logical sanitization, also known as ‘Data erasure,’ is removing all data from a device that makes it unrecoverable, rendering it reusable. Logical sanitization is typically done by overwriting the entire storage media with a series of ones and zeros. This process can be done for drives (HDD & SSD) using specialized software like BitRaser Drive Eraser. The logical sanitization requirements for R2V3 compliance include the following:

• Maintaining electronic records of data erasure generated by the data wiping software.
• The sanitization software must be able to wipe all user-addressable locations, and the software must fail the media if all locations are not sanitized.
• All logins, passwords, locks, or other connections to a remote service must be deleted and the device disconnected.
• The sanitization process must be verifiable so that it can be proven that all data has been removed. It requires a minimum of 5% of logically sanitized data storage media to be routinely sampled, audited, and certified by a third-party auditor.
• A qualified technician must perform the Logical Sanitization process, and both the equipment cum the software used must be specifically designed for the task.
• A certificate of data destruction must be provided to the customer upon request.
• If R2V3 Appendix B logical sanitization is unsuccessful, then the data-bearing device must be physically destroyed using the methods prescribed in physical sanitization.

These requirements are intended to ensure that all data on the devices is completely erased and cannot be recovered, protecting the privacy of individuals and organizations whose data may be stored on the devices. In addition, using the NIST 800-88 standard or equivalent ensures that the erasure process is secure and reliable and that the data has been erased to a widely recognized and accepted standard.

R2V3 compliance also requires stringent quality controls to ensure that the sanitization process is implemented as per the data sanitization plan, which must be updated to include the latest updates and methods of data sanitization.

What are the Quality Control Requirements in the SERI R2 Standard?

The Quality Control requirements in the SERI R2 standard include the following:

• The recycling facility must have a written Quality Control Plan (QCP) that outlines the procedures and policies for ensuring that materials are handled and processed per the standard.
• The QCP must include procedures for identifying, documenting, and tracking all materials received, processed, and shipped. In addition, the supplier must be informed of any discrepancies in receiving, cataloging, sanitizing, and releasing.
• After verifying logical sanitization, data storage devices shall be approved for release by the data protection representative. The records of sanitization must be maintained and stored by the R2 facility.
• The R2 facility must have a system for corrective and preventive actions to address any non-conformities identified during the audit process. The same must be updated in the data sanitization plan.

These requirements are intended to ensure that the recycling facility is operating in a consistent and controlled manner and that all materials are handled and processed following the standard. In addition, the QCP helps ensure that the recycler understands what is expected of them and has the necessary procedures to achieve and maintain compliance.

Conclusion: Importance of Having an R2V3 Certification

An R2V3 certification demonstrates that your electronics recycling facility is committed to responsible and sustainable practices. This certification is widely recognized as the standard for best practices in the electronics recycling industry. Some benefits of having an R2V3 certification include compliance with laws and regulations, protection of data and privacy, positive reputation & credibility, competitive advantage, and continuous improvement. Overall, an R2V3 certification can help to ensure that your facility is operating in a responsible, sustainable, and compliant manner while also helping to protect the data and privacy of your customers and contributing to a positive reputation and competitive advantage.

FAQs