Q.   What are the requirements for qualifying a downstream vendor (DSV) for processing data devices?

When data sanitization is not performed by the R2 Facility, any items that may contain data must be securely transferred to a DSV qualified in accordance with Appendix A – Downstream Recycling Chain.

Qualifying the DSV for data sanitization must include one of the following:

1. 1. In accordance with A (7), confirm that the DSV has an active R2 Certification that includes Appendix B – Data Sanitization for the devices requiring sanitization; or
   2. In accordance with A (8)(d)(1), annually verify that the DSV smelts or incinerates the data devices for final destruction; or
   3. In accordance with A (8)(d)(2), have the DSV annually audited by an independent auditor and confirm conformance with the requirements of Core Requirement 7 and Appendix B – Data Sanitization.

ADDED 10/5/2022   Q.   Can an R2 facility ship data storage devices to a downstream vendor that sends those same devices to another downstream vendor for sanitization?

The short answer is no.   Core Requirement 7 provides three options for sanitizing data-containing items.  The first two options are found in Core 7(c)(2) A & B and pertain to in-house sanitization.  The third option is found in Core 7(c)(2)(C):

Ship/transfer data storage devices under written contract to a downstream vendor that has been verified in accordance with Appendix A – Downstream Recycling Chain, with the capabilities to sanitize data from the type of equipment shipped in accordance with the planned method disclosed to the supplier. 

This requirement specifies that the DSV chosen to receive the data storage devices must have the capability to sanitize them.   Further transfer of that data device to another DSV for sanitization is not listed as an option.   The intent of this requirement is to ensure that devices containing data are tracked and handled with the highest level of care, and for R2 facilities to keep tight control on those data containing devices by limiting the number of parties that have access to those devices.

ADDED 8/13/2024  Q: If my facility is R2 Certified, do I have the necessary qualifications to receive data storage devices from R2 Certified upstream suppliers for further processing? 

 While Core 7 of the R2 Standard includes strong data security requirements for all R2 Certified Facilities, some suppliers (including all R2 Certified suppliers) require the more specialized data sanitization processes in Appendix B-Data Sanitization.    

QUALIFICATIONS NEEDED TO RECEIVE DATA STORAGE DEVICES 

• To receive data storage devices from an R2 CERTIFIED SUPPLIER for further processing, the R2 downstream vendor (DSV) must be certified to Appendix B for logical and/or physical data sanitization, depending on the type of data sanitization process that needs to be performed.  This is found in the requirements below. 

Core 7(c)(2)(C) – Ship/transfer data storage devices under written contract to a downstream vendor that has been verified in accordance with Appendix A – Downstream Recycling Chain, with the capabilities to sanitize data from the type of equipment shipped in accordance with the planned method disclosed to the supplier. 

Appendix A(7) – requires that an R2 Certified downstream vendor must have:
“… a certification scope, including applicable Process Requirements, consistent with the equipment, components, and materials received, and the processes performed …”  

• When receiving data storage devices from a NON-R2 SUPPLIER, the R2 DSV may process the data storage devices in one of the three ways below. Certification to Appendix B would only be needed in the first scenario under Core 7(c)(2)(A). For the other two scenarios, certification to Appendix B is not required. 

• Core 7(c)(2)(A) – Sanitize the data on the data storage devices in accordance with Appendix B – Data Sanitization (Certification to Appendix B IS required). 

• Core 7(c)(2)(B) – Physically destroy the data storage media in accordance with an applicable method defined in Appendix A of the NIST Guidelines for Media Sanitization: Special Publication 800-88 (rev.1) and verify destruction in accordance with a defined process to demonstrate 100% effectiveness of the destruction process
  (Appendix B NOT required).  

• Core 7(c)(2)(C) – Ship/transfer data storage devices under written contract to a downstream vendor that has been verified in accordance with Appendix A – Downstream Recycling Chain, with the capabilities to sanitize data from the type of equipment shipped in accordance with the planned method disclosed to the supplier (Appendix B NOT required).