Information Security Policy
1. Purpose and Scope
Tech-Takeback Foundation contracts Tech-Takeback Ltd on a legal basis to carry out its secure collection, data-erasure, repair and refurbishment of donated laptops. This policy outlines the procedures, responsibilities, and controls that Tech-Takeback implements to secure all data-bearing assets managed throughout the lifecycle of collection, refurbishment, data erasure, and resale or recycling.
2. Information Classification
Tech-Takeback Foundation and Tech-Takeback Ltd recognise three classifications for data handled:
Personal Data: One-pass overwrite, non-certified.
Business Data: One-pass overwrite, certified.
Business Confidential Data: Three-pass overwrite, certified.
All classifications are treated with identical operational care. Classification differentiation is recorded only within our secure inventory database during the erasure process. Client confidentiality is maintained rigorously; client identifiers are restricted to the inventory system, and paper documents are digitised and securely shredded post-entry.
3. Roles and Responsibilities
Chair of Trustees, Tech-Takeback Foundation / Managing Director, Tech-Takeback Ltd: Crisis Management
Technical Director, Tech-Takeback Ltd: IT Security and Data Erasure Verification
Chief Operating Officer (COO), Tech-Takeback Ltd: Policy oversight and operational management
Warehouse Manager, Tech-Takeback Ltd: Implementation of day-to-day security procedures and QA checks
Trustees, Directors and staff at Tech-Takeback Foundation and Tech-Takeback Ltd: Compliance with all security protocols
4. Access Control
Physical access to the Tech-Takeback Ltd warehouse is digitally logged; access restricted to authorised employees.
Visitors are strictly signed in/out and supervised at all times.
IT systems require regularly updated usernames/passwords.
Data-bearing items are secured in a dedicated ‘red zone’.
5. Asset Management and Tracking
Detailed asset tracking from point of collection, throughout refurbishment, data erasure, and resale/recycling.
Secure digital logging system with real-time asset status updates.
Barcoded tracking ensures accurate record-keeping and verification.
6. Data Protection and Erasure
Tech-Takeback complies with:
CESG (HMG InfoSec Assurance Standard No.5)
US DoD Standard 5220.22-M
Erasure procedures:
Immediate use of industry-standard Global Erasure Wipedrive software upon asset arrival.
Detailed digital erasure reports issued for all certified erasures.
On-site certified destruction for unsuccessful erasures, followed by licensed recycling.
Complete audit trails maintained and digitally secured.
7. Physical and Environmental Security
Warehouse located on secure premises with high-security measures including locked doors, security checks, and CCTV.
Items transported in sealed, unmarked vehicles.
Driver identity checks and planned, secure routing.
Data-bearing devices stored securely until data-erasure confirmation.
8. Technical Security Measures
Cloud-based, secure storage via Tresorit.
Robust cybersecurity hygiene (firewalls, antivirus, staff cybersecurity training).
Critical data erasure software maintained on secure USB drives.
9. Incident Response and Management
Immediate notification and response procedures for physical security breaches, cybersecurity incidents, or operational disruptions.
Clear protocols for stakeholder notification, including regulatory compliance (ICO).
Detailed incident reporting with comprehensive audit trails.
10. Business Continuity and Disaster Recovery
Established response procedures for critical disruptions (fire, theft, pandemic).
Recovery objectives clearly defined:
IT Systems: within 24 hours
Warehouse Operations: within 48-72 hours
Alternative operational arrangements prepared, including temporary relocation.
11. Human Resources Security
All operational personnel undergo rigorous vetting (identity, employment, CRB checks).
Regular training on data protection, cybersecurity, and operational protocols.
Procedures in place to encourage skills sharing and resilience against workforce disruptions.
12. Compliance and Audits
Continuous adherence and compliance audits.
Regular internal QA checks and random audits of data-erasure procedures.
Commitment to reporting and rectifying compliance issues promptly.
Bring Your Own Device (BYOD) Guidelines:
Personal devices used to access Tech-Takeback systems must be secured by passwords, PINs, or biometric security. Devices must have up-to-date antivirus software and operating system patches.
Access to company resources from personal devices is strictly limited and controlled by the IT Department. Permission to use personal devices may be withdrawn at any time if the device is considered to pose a security risk.
Employees agree that Tech-Takeback reserves the right to remotely wipe company data from personal devices in the event of loss, theft, or security breach. Employees should back up personal data separately to ensure personal information is not lost in such an event.
Use of personal devices must adhere strictly to existing Tech-Takeback policies regarding acceptable use of the internet, email, and social media.
Compliance with these guidelines is subject to regular review by the Tech-Takeback Management Team. Failure to comply may result in withdrawal of remote access rights, restriction of BYOD privileges, or disciplinary action in accordance with Tech-Takeback's disciplinary procedures.
CONTACT US
If you have any questions regarding this Privacy Policy or the practices of this Site, please contact us by sending an email to hello@techtakebackfoundation.org.uk.
Last Updated: This Policy was last updated on 21 January 2026