Business
Business
Business
Business
Last updated: 5 May 2026 | Reading time: ~12 minutes | Author: KGS Recycling, NEA-licensed e-waste recycler
PDPA-compliant IT asset disposal in Singapore requires organisations to securely destroy, sanitise, or render unrecoverable all personal data on retired IT equipment before disposal, in line with Section 24 (Protection Obligation) and Section 25 (Retention Limitation Obligation) of the Personal Data Protection Act 2012. Compliance covers laptops, servers, mobile devices, storage media, and printers, with documented chain of custody and certificates of destruction.
The Personal Data Protection Commission (PDPC) raised the maximum financial penalty for data breaches to S$1 million or 10% of annual turnover in Singapore, whichever is higher, on 1 October 2022, for organisations with annual turnover above S$10 million. Improper disposal of IT equipment is one of the most common causes of preventable breaches because it converts a routine refresh cycle into a personal data leak. A single laptop sold on the secondary market with an un-sanitised drive can contain thousands of customer records, employee NRICs, and email archives.
For an MNC running a four-year refresh cycle on 800 laptops, that is a meaningful breach surface. For an SME with thirty laptops and no formal policy, it is often the single largest unmanaged risk on the books.
Section 24 of the PDPA requires organisations to "make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks." The word "disposal" appears in the statute itself. That is the legal requirement for end-of-life IT controls.
The PDPC has interpreted "reasonable" to mean methods proportionate to the sensitivity of the data and the form of the medium. A retired laptop holding HR records is treated differently from a printer with no internal storage. The duty sits with the data controller, not the disposal vendor, even when disposal is outsourced.
Section 25 requires organisations to "cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals" once the personal data is no longer needed for any business or legal purpose.
The practical consequence: keeping old laptops in a storeroom "just in case" is not a neutral act. If those drives still contain personal data and there is no longer a business or legal reason to hold them, the organisation is in breach.
Section 4(3) of the PDPA confirms that an organisation has the same obligation in respect of personal data processed on its behalf by a data intermediary as if the personal data were processed by the organisation itself. Picking the cheapest disposal quote from an unlicensed vendor does not transfer the legal risk.
If the organisation is regulated by the Monetary Authority of Singapore, including banks, insurers, payment institutions, and capital markets services licensees, the MAS Technology Risk Management Guidelines, revised January 2021, layer on top of the PDPA. The TRM Guidelines cover IT asset management and require controlled disposal of media, with sanitisation aligned to recognised standards such as NIST SP 800-88. MAS expects board-level oversight of the technology risk framework, and asset disposal sits inside that framework.
SS 587:2013, "Specification for secure destruction of confidential material," is the Singapore Standard governing physical destruction of confidential material in both paper and electronic form. It defines particle sizes for shredding by data classification level, chain-of-custody requirements, and operational controls for destruction service providers. SS 587 itself is not a law, but the PDPC routinely points to it as evidence of "reasonable security arrangements" under Section 24.
For operators of Critical Information Infrastructure across the 11 designated sectors (including energy, water, banking and finance, healthcare, land transport, aviation, maritime, government, infocomm, media, and security and emergency services), the Cybersecurity Act 2018 imposes additional obligations on the management and disposal of assets that handle CII. CII operators must report cybersecurity incidents to the Cyber Security Agency of Singapore and adhere to sector-specific codes of practice.
NIST Special Publication 800-88 Rev. 1, "Guidelines for Media Sanitization," is the international reference document most commonly used in Singapore to define the actual technical methods. It defines three sanitisation levels:
Both the PDPC and MAS treat NIST SP 800-88 as a reasonable benchmark.
Before deciding what to do with retired equipment, work through three questions in order.
Question 1: Did this device ever store personal data, business confidential data, or regulated data?
If no, skip to Question 3 (donation or resale path). If yes, continue to Question 2.
Question 2: What is the data classification?
Question 3: Does the device still have economic value?
If yes, and the data has been verifiably sanitised, the device can go into the ITAD resale or donation channel. If no, or sanitisation cannot be verified, the device should go to certified destruction and recycling.
For SSDs, NVMe drives, and modern flash storage, physical destruction is the safest default. Wear-levelling and over-provisioning mean a software wipe cannot guarantee every cell is overwritten. For HDDs, a NIST Purge using ATA Secure Erase or a three-pass overwrite is generally accepted. For mobile devices and tablets, factory reset combined with cryptographic erase is the standard, but the device must have been encrypted from first use for cryptographic erase to be meaningful.
A defensible destruction process has six elements. Missing any one of them weakens the audit trail.
The first is secure collection: locked containers or sealed bags collected by uniformed staff in GPS-monitored vehicles. The second is chain-of-custody documentation: serialised tracking from collection point to destruction floor. The third is on-site witness or sealed transport to a licensed facility, depending on client preference. The fourth is destruction to a defined standard: degaussing using NIST certified machines or shredding to small particle sizes. The fifth is the certificate of destruction itself, which lists every serial number, the destruction date and the method. The sixth is downstream recycling evidence: the destroyed material must end up in a licensed recycling stream, not landfill.
KGS holds an NEA e-waste recycler licence and is audited for downstream flows.
Software wiping preserves the asset for resale and reduces e-waste, but it has limits. Secure Erase relies on the drive firmware doing what it says, and not every drive implements it correctly. It only works when the drive is still in working conditions and it is very time consuming, taking hours per drive depending on the storage size.
Physical destruction removes all doubt. It is the only method that gets a sign off without caveats. The downside is that the asset's residual value is gone. For a four-year-old laptop, this is usually acceptable. For a six-month-old MacBook Pro, the value lost can be material.
A hybrid approach works for most organisations. Data destruction on the storage medium like HDD and SSD that meet the data classification threshold, and log the destruction results, then allow the assets for meaningful recycling or refurbishment. Keep the destruction certificates on file for at least the duration of any applicable retention period.
In a PDPC investigation following a breach, the questions that come up are predictable. Investigators want to see the disposal policy, the asset register reconciled to the destruction certificate, the vendor's licences and certifications, and evidence of staff training. Organisations that produce all five quickly are usually treated more leniently. Organisations that cannot produce them tend to face higher penalties because the PDPC reads the gap as a Section 24 failure.
A minimum documentation pack contains:
Five criteria separate competent vendors from risky ones.
NEA licensing is the baseline. The National Environment Agency licenses electronic waste recyclers under the Resource Sustainability Act, and the Extended Producer Responsibility scheme has been in force since 1 July 2021. An unlicensed disposal vendor cannot lawfully process e-waste in Singapore. KGS is NEA-licensed for e-waste, lithium-ion battery, and solar panel recycling.
Certifications come next. Look for ISO certificates, provision of Certificate of Destruction, SS 587 alignment for destruction processes, and where applicable R2 or e-Stewards for downstream recycling.
Chain of custody must be auditable from collection to destruction. Serialised barcoding and CCTV coverage of destruction floors are now standard expectations.
Insurance matters more than people realise. A reasonable disposal vendor carries professional indemnity and data breach liability cover.
Downstream transparency is the final filter. Vendors like KGS are NEA licensed and audited on downstream flows.
The most frequent failure is storeroom accumulation. Laptops pile up over years "for tax write-off" or "in case someone needs a spare." Section 25 does not permit indefinite retention of personal data once the business purpose has ended.
The second is assuming factory reset is enough. On modern Android and iOS devices encrypted by default, factory reset is close to a cryptographic erase. On older devices or PCs, it is not. The PDPC has issued enforcement decisions against organisations that disposed of devices after factory reset alone.
The third is outsourcing without due diligence. As noted above, Section 4(3) of the PDPA places responsibility on the data controller for personal data processed by a data intermediary.
The fourth is forgetting peripheral devices. Multi-function printers and copiers contain hard drives that store scan and print history. Networked photocopiers in particular have been the subject of breaches overseas and are routinely missed in Singapore disposal scopes.
The fifth is no destruction process for backup tapes and external drives. These often hold the most concentrated personal data in the organisation and end up in a desk drawer for years.
In month one, draft or refresh the IT asset disposal policy and circulate it for sign-off. Conduct a stocktake of every device currently in storage but not in use.
In month two, classify each device by data sensitivity and select a disposal pathway. Engage an NEA-licensed vendor, sign a data processing agreement, and run a pilot batch.
In month three, scale the process, file the certificates of destruction in a single retrievable location, and brief IT and HR staff on the new procedure. Add an annual review date to the calendar.
Does the PDPA apply to internal employee data?
Yes. The PDPA covers personal data of employees, customers, contractors, and visitors. Internal HR records on a retired laptop are within scope.
Is a software wipe alone PDPA-compliant?
It can be, depending on the data sensitivity, the medium, and the method. Multi-pass overwriting on HDDs holding general business data is usually defensible. Software wiping is not generally accepted as sufficient on SSDs holding regulated or sensitive personal data; physical destruction is preferred.
Are degaussers still relevant?
Degaussing remains effective on magnetic media (HDDs and tapes) and can be a fast purge method. It does not work on SSDs or flash media because there is no magnetic domain to disrupt.
Who signs the certificate of destruction?
The disposal vendor signs and issues the certificate. The data controller's IT or compliance lead confirms receipt and reconciliation against the asset register.
How long should we keep destruction certificates?
At minimum, for the retention period applicable to the underlying records destroyed. For financial sector clients, MAS expectations typically translate to seven years. For general business data, five years is a common practice.
Can we donate working laptops to charity?
Yes, after sanitisation to the appropriate NIST level and removal of all licensed software. Document the wipe and the recipient. A donation pathway is environmentally preferable where the asset still has useful life.
What about lithium-ion batteries inside disposed devices?
Under the Resource Sustainability Act, lithium-ion batteries must be processed by a licensed recycler. KGS is licensed to handle li-ion battery recycling alongside ITAD. Pulling batteries before destruction also reduces fire risk during shredding.
Do we need a Data Protection Officer to oversee disposal?
The PDPA requires every organisation to designate a Data Protection Officer. The DPO does not need to run the disposal process personally, but should approve the policy and review the documentation pack.
KGS is an NEA-licensed electronic waste recycler in Singapore providing IT Asset Disposition (ITAD), e-waste recycling, lithium-ion battery recycling, and solar panel recycling. We work with MNCs, government agencies, financial institutions, and SMEs across Singapore.
To request a quote or schedule a collection, visit https://www.kgs.com.sg/.
Sign up for exclusive offers, events and more.