DIAL
Refers to Section 3 Module 1. Criterion 3.1.1
If this was identified at the sampling part of the audit process it would be viewed as a non-conformance and the non-conformance process would be followed.
Refers to Section 3 Module 1. Criterion 3.1.1
You should confirm with the customer that they are indeed a DIAL 3 and have not merely completed the form without genuine consideration to the impact.
If they are indeed a DIAL 3 then you should first share them the list of the DIAL 3 criteria from your full audit which you failed to meet along with remediation plan including timelines. The customer should then respond either permitting the engagement based on your remediation plan or stating that they require the remediation is to be concluded before work is transacted.
Refers to Section 3 Module 1. Criterion 3.1.1
An ADISA certified ITAD company will be expected to obtain the data controller’s DIAL rating for all in-scope ITAD work.
Where they are acting as a sub-processor, the data processor will be expected to provide this information to the sub-processor.
Refers to Section 3 Module 1. Criterion 3.1.1
An applicant that wishes to improve on the outcome of their initial audit has two options:
- The non-conformance process allows for an applicant to commit to an action plan to improve on their provisional audit finding within that initial audit process, or
- An applicant may accept the outcome of their initial audit, but then subsequently request an ad hoc audit sooner than the normal 3-year frequency. Any ad hoc audit will be chargeable based on time and expenses (which would be proportional to the size and complexity of any such audit).
The timescale for both options would be driven by the time taken for the applicant to make the necessary improvements and auditor availability.
UK GDPR
Refers to Section 2 Module 1. Criterion 2.1.2
ADISA will only start auditing Standard 8.0 once we have received recognition by UKAS, which is expected to be 4-6 months. This delay will create opportunity for applicants to embed their Standard 8.0 compliant contracts across their customer base.
Any assets found during audit that have been, or are being, processed without a Standard 8.0 compliant contract will trigger the ADISA audit non-conformance process. The auditor will assess the severity of any non-conformance (minor or major) and stipulate appropriate actions to resolve the non-conformance.
Sub Processors and Third Parties
Refers to Section 2 Module 9. Criterion 2.9.3
No - a currently ADISA certified company can be used by an applicant without a further audit.
Refers to Section 3 Module 1. Criterion 3.1.1
You will be expected to obtain the data controller’s DIAL rating. If the IT Company is making the controller decision, i.e. how to process the data, they would be the data controller and it should be their DIAL. (Their customers might as a result of this, be viewed as not complying with GDPR). If they are reselling your ITAD services to their customers and they have contracts etc in place with their customers for this work then you would be a sub-processor and the IT Company is required to provide you with a DIAL rating for each of their customers.
Refers to Section 2 Module 9.
Yes - any other company involved in the end point of sanitisation/destruction process is a sub processor for you.
Client engagement
Refers to Section 2 Module 1. Criterion 2.1.2
The agreement made with your customer can be a full blown contract, a Proposal document that lays out the service offered with a link to your T & C's that contain all the UK GDPR complaint elements required , a Data processing Agreement , a Service Level Agreement or any other document as long as it contains all the required elements of 2.1.2.
Refers to Section 2 Module 1. Criterion 2.1.2
If this was found during sampling this would be viewed as a non-conformance and the non-conformance process followed. During this assessment we would expect you to be able to provide evidence of asking the customer for a contract, of explaining the important of putting a contract in place and of you repeating your efforts to get a contract in place. In certain situations it might be appropriate for you to escalate your request to someone within your customers who is of sufficient authority such that the refusal of a contract is seen as a company wide decision.
Chain of custody
Refers to Section 3 Module 2. Criterion 3.2.43
It is an essential criterion that the collection paperwork shall include a signature, printed name and date evidencing the transfer of custody from the company releaseing the assets to the ITAD. Where a logistics representative (third party carrier) is used, they must check consignment and sign the paperwork on point collection and an ITAD representative must check consignement and sign at point of receipt at the facility.
It would be good practice for a different individual other than the driver to check all consigments and sign into the facilty at point of receipt.
Data Capability
Refers to Section 3 Module 4. Criterion 3.4.9
If you cannot find your make and model on the NSA approved list you would need to get your customer to agree to its use which would be viewed as “a customer specification”. Agreement should include sharing the specific make and model of the degausser being used, generic approval of "non-NSA degausser" would not be pernitted,
Logistics and Processing facility
Refers to Section 3 Module 2. Criterion 3.2.21
The requirement is for customers to have the option to have collections made using vehicles with generic livery with the guidance being that it should be non-task specific. The tasks which are covered by the ADISA Asset Recovery Standard 8.0 including but not limited to:
IT Disposal, ITAD, Data Processing, Data Destruction, Sanitisation, WEEE and Asset Reuse.
Any livery containing these words would not be considered to be generic.
Refers to Section 3. Module Entire Module
If customers are shipping devices into your facility and they are organising and managing the logistics, then this would be acceptable as long as you are clear in your engagement that you are only taking custody on your facility door.
If you are organising couriers on behalf of customers, then you should ensure the couriers meet the requirements as laid out in Section 3 Module 2.
Should the couriers not be able to meet these requirements then this would be viewed as a non-conformance. The investigation would take into consideration aspects such as.
- Frequency of shipments.
- Reason for couriers (Home workers etc)
- Customer clear and unambiguous approval for the use of couriers.
- Customer being informed that the service does not meet the requirements laid out within 8.0.
- All parties agreeing on where transfer of custody takes place.
Like all non-conformances the frequency is critical, if courier usage which does not meet section 3 module 2 is a high proportion of the logistics transactions, it is unlikely to be acceptable for ADISA certification.
ROPA - Record of processing activity
Refers to Section 2 Module 3. Criterion 2.3.1
The requirement is for all processors to have in place a record of processing activity that contains the same information as the ICO templates that can be accessed via the following links.
Inventory control
Refers to Section 3 Module 3. Criterion 3.3.8
A good example of this is the ITAD receiving a kit list stating that they have 100 laptops to collect but when they are booked in there is actually 101. The customer has not provided the serial number so the ITAD is unable to identify which is the extra laptop.
All assets would need to be quarantined as per 3.3.8 until the customer has agreed a resolution. This is because the ITAD is unable to identify which of the assets is is the unexpected asset
Dependant Systems
Requirement of the additional certification requirements 7.2 of ISO17065 ( Out of the audit process )
You are required to list any systems or interfaces used in the provision of data processing services such as your sanitisation software partner , your CCTV systems, your storage provider, CRM system etc.
You do not need to list any systems used once the data processing has been completed. For example your sales systems etc