When organisations think about cybersecurity, they focus on networks, threat detection, and incident response. But the risk doesn’t end when a device is decommissioned. Every retired laptop, server, or router can hold sensitive data—PII, IP, or credentials that open entire networks.

The new Device Data Sanitisation Frameworks Report, developed by WV Tech in collaboration with PwC Australia, confronts this overlooked risk and provides industry with clear, actionable steps. It helps organisations protect themselves, comply with tightening privacy laws, and reduce vulnerability in an increasingly regulated environment.

We’re proud to have partnered with PwC, one of Australia’s leading professional services firms, to deliver this framework. PwC brought deep expertise in risk management, regulation, and industry standards. WV Tech contributed our lived experience as an Indigenous-owned, NAID AAA–certified, PSPF-endorsed IT asset disposal provider.

Together, we analysed existing legislative gaps, government security frameworks like the ISM and PSPF, and standards such as ISO 27001 and AS/NZS 5377. The result is a practical, industry-ready framework that maps security classification levels to certified, auditable disposal requirements.

This wasn’t about writing another report to gather dust. It’s a usable, realistic tool organisations can adopt to demonstrate they’re taking reasonable steps under the Privacy Act 1988, SOCI Act 2018, and other compliance regimes.

The report makes one thing clear: disposal of data-bearing devices is an underappreciated cyber risk. Every year, millions of devices are retired with no consistent mandate on how to securely dispose of them.

Government agencies have the PSPF and ISM frameworks, which require NAID AAA–certified disposal providers with PSPF endorsement. But private industry? There’s a clear gap.

Our experience shows many organisations don’t even know where data lives on their devices. It’s not just the hard drive anymore—it’s firmware, RAID controllers, network cards, and dozens of potential storage points.

Our framework helps businesses assess risk, classify data properly, and make informed choices about secure disposal—whether that’s in-house or via certified partners. It gives companies a clear, defensible approach for protecting data even at end-of-life.

The report makes one thing clear: disposal of data-bearing devices is an underappreciated cyber risk. Every year, millions of devices are retired with no consistent mandate on how to securely dispose of them.

Government agencies have the PSPF and ISM frameworks, which require NAID AAA–certified disposal providers with PSPF endorsement. But private industry? There’s a clear gap.

Our experience shows many organisations don’t even know where data lives on their devices. It’s not just the hard drive anymore—it’s firmware, RAID controllers, network cards, and dozens of potential storage points.

Our framework helps businesses assess risk, classify data properly, and make informed choices about secure disposal—whether that’s in-house or via certified partners. It gives companies a clear, defensible approach for protecting data even at end-of-life.

Privacy laws are evolving rapidly. The Privacy Act now allows penalties up to $50 million for serious or repeated breaches. Reporting requirements are tighter under the Notifiable Data Breaches scheme. At the same time, critical infrastructure entities face stricter obligations under the SOCI Act.

For many, data security policies stop at ‘live’ systems. This report aims to extend best practices across the full lifecycle of data, including end-of-life assets.

At WV Tech, this is what we do every day:

• Secure chain-of-custody transport
• Certified data sanitisation and destruction
• Detailed, audit-ready reporting

Our work with PwC ensures industry can now better understand why this matters and how to do it right.

At WVTech we track devices with up to 30+ possible data storage points. Our chain-of-custody processes, NAID AAA certification, and PSPF endorsement prove we can meet the highest standards—while employing and training Indigenous Australians to deliver this critical work.

Secure disposal is complex. But it’s solvable. And this framework is our contribution to helping the entire industry move toward a higher standard: one that’s secure, compliant, environmentally responsible, and socially impactful.

As legislation tightens and cyber threats grow, organisations can’t afford to treat device disposal as an afterthought. The Device Data Sanitisation Frameworks Report is our invitation to procurement teams, IT leaders, CISOs, and ESG managers: let’s raise the bar together. Let’s make secure, compliant, and responsible disposal the new norm.