HOW DO FACILITIES DETERMINE WHICH APPENDICES (PROCESS REQUIREMENTS) APPLY TO THEM?

PROCESS Requirements apply only to R2 facilities that engage in those specific processes.  Activities or processes taking place at a facility cannot be excluded

If a R2 Facility wipes a single hard drive, then it must certify to Appendix B-Data Sanitization.   

If a R2 facility buys material that is drop-shipped directly to another vendor, then Appendix F – Brokering applies.

But keep in mind that processes need to occur with enough frequency to generate a good sampling of records.  For each process or activity, an auditor will need to see sufficient records to demonstrate implementation and conformance with the R2 Standard. 

Processes that lack sufficient records will result in a nonconformance. 

Working within your core competencies and limiting the PROCESSES (Appendices) that need to be certified can be a way of containing audit costs.  A cost analysis may show that infrequent materials streams may not justify the cost of auditing and certifying a particular PROCESS that is rarely performed – especially when those items could be sent to a qualified downstream vendor for processing.

Reduce Audit Costs

A way to reduce audit time and costs - consider using downstream vendors to process items outside the R2 facility’s core operations by reducing the number of application appendices.

What Activities to include or exclude from the R2v3 Scope Statement?

R2v3 requirement 1.(B)(1) STATES THAT THE R2 CERTIFICATE SHALL HAVE AN “ACCURATE STATEMENT OF THE SCOPE OF OPERATIONS”

Section 11.0 of the R2v3 Code of Practices (COP) provides specific requirements for how the scope must be presented on the R2v3 Certificate. For each applicable R2v3 Process Requirement appendix, the COP defines specific terms that must be included in the scope.

In addition to these terms, the R2 Facility must also define the types of equipment, components, and materials managed related to each of the certifiable processes and have that information recorded on the R2v3 Certificate.

See Table 9 from the R2v3 Code of Practices regarding properly identifying scope statements.

R2v3 Scope Statement examples

Scope Statement

Do not include future plans or operations or non-active operations of the R2 facility as part of your scope statement.

Deciding between RIOS or ISO based Standards required by R2v3 Certification?

You have a made a strong commitment when choosing to get R2v3 Certification and you want to maximize your certification efforts. The benefit of ISO Based Standards provides worldwide recognization and established creditability to the R2v3 facility. In addition the ISO Based standards provide better marketability of the R2v3 facility and under ISO Based + R2v3 you will be issued four certificates which include: ISO 9001/14001/45001 and R2v3 Certification.

Get Recognized

The amount of work required is equal whether choosing ISO Based Standards or RIOS…however increase your organizations brand value with established ISO Based Standards & Global Acceptance.

Competency of Internal Auditors

Internal audits are an important aspect of certification and are required by several different sections of the R2v3 Standard:

  • Core Requirement 3 (b) requires internal audits to be conducted at least annually to verify conformance with the facility’s Environmental Health and Management System and each R2 requirement

  • Core Requirement 4 (d)(3) requires periodic internal audits of the facility’s legal compliance plan

  • Core Requirement 7 (c)(3) requires internal data security and sanitization audits to be conducted at least annually

For internal audits to be effective, they must be conducted by someone with the right competencies. The Paradygm Internal Auditors have the knowledge and experience necessary to understand the R2 requirements, and to evaluate whether the facility is meeting those requirements.  Simply giving an employee a checklist and assigning them to do an internal audit will not be effective unless that person has sufficient knowledge of the processes and procedures they’re auditing.

Competency of the auditor can be achieved by a combination of training, hands on experience, and ongoing education.  Paradygm Internal Auditors have successfully completed the SERI R2 Lead Auditor Course and passed the final exam. 

The required competency for an internal auditor will vary from organization to organization, depending on the complexity of the organization’s scope and legal requirements.  It may be that a single person within the organization is qualified to audit all areas, or it may be that multiple auditors will be needed – each with their own area of competency.

Facilities need to keep in mind that the body of knowledge needed to conduct an effective internal EH&S compliance audit is different than the knowledge needed to conduct an effective internal R2 audit or data security audit.  For example, an EH&S auditor is expected to be knowledgeable in areas such as storm water management regulations, air quality, respiratory protection, noise, and industrial hygiene monitoring, but that same auditor may have no knowledge of data sanitization and would not have the expertise needed to conduct a data security audit.  When determining who will be conducting internal audits, it is helpful to create a matrix of the requirements, including various regulations applicable to the organization, and determine who has the qualifications to audit each area.

One of the many benefits of an effective internal audit, is that it can help facilities identify and correct areas where the facility is not conforming to R2 requirements.  By correcting these issues in advance of the certification body audit, a facility can avoid non-conformances that may result in delays or lapses in certification, suspension, or even revocation of the facility’s certification.   

20 years Experience

Paradygm Internal Auditors have over 20 years of experience in performing Quality, Environmental and Health & Safety Management System audits. Additionally we are well versed R2 requirements.

Import/Export Requirements expectations to be verified for each shipment under Appendix A (3)?

Core Requirement 4.(c) requires the identification and documentation of the legality of imports/export as part of the R2 Facility’s legal compliance plan. This includes determining if the items are regulated; whether the regulated items are hazardous; the proper names and/or codes used for shipping; packaging requirements; permissible quantities; required shipping forms; and any permits or authorizations required for the shipment.

Prior to any transboundary shipments, Appendix A (3) requires that the R2 Facility verifies the related requirements as outlined in the legal compliance plan to confirm compliance of the shipment with all applicable requirements.

IF A FACILITY EXPORTS TO AN OECD COUNTRY, IS THAT SUFFICIENT PROOF OF LEGALITY AS REQUIRED IN CORE REQUIREMENT 4 (C)?

Not all OECD countries have the same laws and regulations, so that in itself does not constitute proof of legality.   Some of the other things you would need to consider include whether the items are regulated, whether they’re hazardous, and any conditions related to the shipment, such as what permits or authorizations are required, any declarations or shipping documents for the shipment, and the permissible types and quantities of items for each shipment.

As for proof of legality, a few examples could be:

  • A permit showing your downstream vendor is permitted to import the material you are sending

  • Copy of a law or regulation specifically stating the material may be imported

  • Link to country website which states import/export restrictions and specifically states that the electronic items/materials you are sending are allowed to be imported.

WHAT INFORMATION IS REQUIRED IN THE “SUMMARY REPORT OF TRANSACTIONS” UNDER REQUIREMENTS 5.(A)(3) AND 5.(C)(3)?

The inbound summary report should at minimum include:

  • Supplier name and location;

  • type of equipment/material received;

  • quantities; and

  • date of receipt.

The outbound summary report should at minimum include: 

  • Downstream vendor name and location;

  • type of equipment/material shipped;

  • quantities;

  • date of shipment; and

  • unique shipment identifier.

WHAT ARE “R2 CONTROLLED STREAMS” ?

The categories of R2 Controlled Streams are outlined in Table 1 of the REC. R2 Controlled Streams are electronic equipment, components or material streams that are subject to the requirements of the R2 Standard for processing and disposition.

R2 Controlled Streams include:

  • Any equipment, components or materials that have not yet been evaluated by the R2 Facility to determine their R2 Applicability

  • Data devices and media that have not been sanitized

  • Equipment or components that have been evaluated and determined to be capable of reuse but have not yet been tested, repaired and confirmed functioning

  • Any equipment or components that contain a Focus Material

  • Focus Materials

All equipment, components, and materials received must be treated as an R2 Controlled Stream until evaluated, and in some cases processed, and then determined to no longer meet the definition of an R2 Controlled Stream.

BASED ON CORE 6.(B)(1) HOW CAN EQUIPMENT BE “IDENTIFIED” WITH ITS CORRESPONDING R2 EQUIPMENT CATEGORY IF A PHYSICAL LABEL IS NOT REQUIRED, AND HOW WOULD THIS BE AUDITED?

Best practices indicate that assets can be tracked to individual items through barcodes, serial number tracking, or other tracking mechanisms already maintained by the R2 Facility.

Alternatively the categories do not need to be applied to individual pieces of equipment, components or materials, and instead can be assigned to specific processing and storage areas, where the proper handling and movement of the items through the process can be used to demonstrate the categorization.  Sometimes this identification can be accomplished by using a special type of bin, rack or location that the items are stored in, where they are then physically moved to different locations, racking, etc. once processed. 

Auditing of REC categorizations will include examining the conditions taken into account to determine the categorization and ensuring that the items are handled accordingly and follow the proper R2 processing pathway.

It is also important to note that the REC categories will change as items are processed.  As a result, the R2 Facility must effectively manage any changes in categories to ensure the correct REC status is identified at all times throughout the receipt, processing and shipment of items.

For example, a work instruction or matrix may be developed to identify the REC categories used, the points at which they may change, and the subsequent categorization possibilities and processing pathways based on the evaluation.  This may include a change from an R2 Controlled Stream to Unrestricted Stream for non-FMs after being removed and segregated from other devices and materials; or a change from Pre-Sanitization to Non-Data after devices are successfully data sanitized.

IN ORDER TO SECURE AND CONTROL DATA CONTAINING ITEMS UNDER REQUIREMENT 6.(D)(2), IS ADDITIONAL SECURITY AND SEPARATION REQUIRED WITHIN THE FACILITY?

Each R2 Facility will need to determine the best means to secure and control access to data containing equipment for its operations. The R2 Facility may choose to secure the entire building or specific areas within it, but it must clearly identify and maintain appropriate authorizations for accessing any secured areas in accordance with Core Requirement 7, Data Security.

based CORE REQUIREMENT 6.(A)(3), AN R2 FACILITY IS REQUIRED TO HAVE A DOCUMENTED PROCESS TO “IDENTIFY ALL DATA STORAGE DEVICES”. HOW SHOULD AN R2 FACILITY DETERMINE IF A DEVICE HAS DATA STORAGE CAPABILITIES?

R2 Facilities must be aware that different devices, and even different models of the same device, can often have different hardware and data storage capabilities that must be accounted for. So, while information from the manufacturer can be useful, it must be applied only to the specific devices identified by that manufacturer, and not broadly interpreted across a category of equipment. Consideration should be given to the specific models, versions, operating systems or other specifications that may vary from device to device and therefore can result in other data sanitization needs.

When identifying data storage devices there are two important aspects to consider. 

  1. The first is whether the device itself can contain data, and therefore would require either physical or logical data sanitization. And, if destined for reuse, the device would need to be logically sanitized with appropriate data sanitization software in accordance with Appendix B (10).

  2. The second factor to consider is whether the device is able to connect to user accounts and other online services. These connections may have the ability to access user data that is stored in locations other than on the device, for example, cloud-based accounts or paired devices. Appendix B (12) requires that all connections to the remote services be removed so that any accounts or related information cannot repopulate to the device.

Another aspect to account for is the difference between data and general information.  R2v3 defines “data” as “private, personally identifiable, confidential, licensed or proprietary information contained on an electronic device…”  Data always requires sanitization.

“General information” is defined as “publicly available information or information that is provided with the original electronic equipment from the manufacturer.”  General information does not require sanitization.

Clearly understanding the difference between data and general information will help in both the development of the Data Sanitization Plan and implementation of the sanitization methods.

Lastly, when identifying data capabilities, be sure to consider any upgrades or modifications to the device, as well as any accessories it may also contain, such as memory cards.

IS CERTIFICATION TO APPENDIX C – TEST & REPAIR REQUIRED FOR THE EVALUATION PROCESS UNDER CORE 6.(C) WHEN DETERMINING CAPABILITY OF REUSE? AND, IS A CERTIFIED QUALITY MANAGEMENT SYSTEM (QMS) REQUIRED FOR THOSE FACILITIES THAT ONLY EVALUATE ITEMS FOR REUSE?

If an R2 Facility only ‘evaluates’ equipment or components to determine the capability for reuse, then certification to Appendix C is not required nor is the certified QMS. However, equipment and components that are determined to be capable of reuse must be directed to one of the approved reuse options as identified under Core Requirement 6.(d)(4) or Core 6.(e)(3).

Evaluating for reuse can include a variety of activities such as simple power-on verifications, visual inspections and even some basic level testing.  However, these evaluations are not considered part of the functionality testing under Appendix C or the verifications under Appendix D.

Products that are sold for reuse must meet the criteria of one of the Functioning Product Categories in the REC (Table 4).  Assignment of any F3 through F6 Functioning Product Categories requires that the device be tested and verified functioning through Appendix C.

CORE 7(A)(2)(E) REQUIRES A WRITTEN DATA SECURITY POLICY THAT “ IDENTIFIES PENALTIES FOR NON-COMPLIANCE WITH THE POLICY, INCLUDING PERSONAL LIABILITY.” WHAT IS MEANT BY “PERSONALLY LIABLE” AND WHAT WOULD THAT LOOK LIKE?

Under some legislation regarding data privacy and data breach notification, individuals may be held personally responsible for certain data breaches or failure to report such incidents. For that reason, workers must be regularly trained on the applicable data security requirements and associated controls maintained by the R2 Facility, and verified to be competent in the policies and procedures that are applicable to their role and level of security authorization. In addition, training should reinforce the importance of data security and reporting of any known or suspected data breaches, and workers with security authorizations and access to data containing equipment must also be subject to formal confidentiality agreements. This is not so much a new requirement as it is additional direction about the various legal requirements facilities need to consider.

STEPS FOR DEVELOPING A DATA SANITIZATION PLAN & PROCEDURES

R2v3 Data sanitization plan and procedures

WHAT ARE SOME OF THE KEY QUALITY CONTROLS REQUIRED FOR THE DATA SANITIZATION PROCESS?

There are several quality control requirements within the R2v3 Standard that apply at different points within the data sanitization process and are together used to verify the results of the data sanitization activities and validate the effectiveness of the process overall.

The demonstration of an effective data sanitization process begins with the generation of records from the sanitization activities as required under Core 7.(a)(1)(L).  These records provide evidence that the identified devices were effectively sanitized through the defined process.  However, these records are specific to the devices processed and are not an indication of how well the sanitization process is working overall.

As a result, the R2 Facility must define and document in its Data Sanitization Plan the verification and validation activities required to ensure that all devices requiring sanitization are properly managed throughout the entire process.  Core 7.(c)(3), Appendix B (1)(b), Appendix B (13) and Appendix B (15) provide additional levels of verification of the effectiveness of the data security controls and the sanitization process on an ongoing basis.

Core 7.(c)(3), requires an annual internal audit be conducted by a competent and independent auditor to validate the effectiveness of the data security controls and the entire data sanitization process, and to confirm conformance with all data requirements. For instance, the process validation should look at all aspects of the sanitization process, such as whether all data devices were correctly identified; the data to be sanitized from each device was clearly identified; the correct sanitization software was used; the software was updated and properly configured; the sanitization technician was trained and competent in the process; pre-sanitized and sanitized devices were properly identified and managed; and the process resulted in the elimination of all data as intended.

  • Appendix B (1)(b), requires that documented quality controls be defined in the Data Sanitization Plan to assess and verify the effectiveness of the data sanitization process.

  • Appendix B (13), requires a minimum of 5% of logically sanitized devices be sampled by a competent and independent party to demonstrate that data is not recoverable from the devices.

  • Appendix B (15), requires the implementation of the quality controls defined in the Data Sanitization Plan to confirm that all devices were processed as planned.

Together, this multifaceted approach will help an R2 Facility to ensure all data devices are properly identified, managed and effectively sanitized.

FOR THE ROUTINE SAMPLING OF LOGICALLY SANITIZED DEVICES UNDER APPENDIX B (13), DOES A CONFIRMATION OF THE WIPE FROM THE SANITIZATION SOFTWARE SUFFICE, OR IS THERE AN EXPECTATION TO USE A DIFFERENT SOFTWARE THAT ATTEMPTS DATA RECOVERY?

This sampling process is intended to be more than simply verifying the sanitization records and reports generated by the sanitization software.  While those activities are good quality controls, on their own, they are not sufficient to demonstrate that data is not recoverable.

It is also important to note that the sampling is not intended to be a repeat of the sanitization process, but rather a separate process to test and demonstrate with “commercial software”  that “data is not recoverable.”  The standard does not specify that separate software is required, however, in practice it may be required in order to attempt the data recovery.

WHAT ARE THE PERMISSIBLE METHODS FOR DATA DESTRUCTION OR SANITIZATION UNDER R2V3?

Core Requirement 7.(c)(2), outlines three different pathways for data sanitization (sometimes referred to as data destruction).  The methods of sanitization will differ depending on the pathway selected.

  1. R2 facilities certified to Appendix B-Data Sanitization can perform logical and/or physical sanitization in accordance with Appendix B requirements. This means that the R2 Facility can:

    • Logically sanitize data devices using a software program that is designed to both sanitize the device and maintain records of the results of the sanitization process.

    • Physically destroy data devices in accordance with:

      • A physical destruction method identified in Table 1;

      • A method and using approved equipment as identified in the NSA Storage Device Sanitization and Destruction Manual; or

      • Another method that physically destroys the device and has been independently verified by a competent expert to be an effective means of sanitization.

  2. R2 facilities NOT certified to Appendix B-Data Sanitization, can physically destroy data devices in accordance with the NIST Guidelines for Media Sanitization.

  3. A qualified downstream vendor that has been verified in accordance with Appendix A-Downstream Recycling Chain, can perform all data sanitization activities on behalf of an R2 Facility

DO “VERIFY” AND “VALIDATE” MEAN THE SAME THING IN R2V3?

In the R2v3 Standard, “verify” and “validate” mean slightly different things.  In writing the R2v3 Standard, The R2 technical Advisory Committee made sure that each one was used properly.  For example:

  • Core 7 (a)(1)(L) uses the term VERIFICATION: “…requires the Data Sanitization Plan to include records to be maintained to demonstrate the effectiveness of the sanitization and verificationactivities”

  • Core 7 (c)(3) uses the term VALIDATE: “…internal data security and sanitization audits shall be performed at minimum annually by a competent and independent auditor to validate the data sanitization processes are effective and conforming to the R2 Standard, legal requirements, and the data sanitization plan”

Validate is a check on all of the aspects of a process.   Verify is a quality assurance/quality control function, a check against a standing level of performance or expected results.

As an example, let’s consider a welding company. They have a process to weld aluminum, but when it’s time to start welding stainless steel, they need to validate the training, materials and process used to weld the new material.  Once that is finished, they need to verify the results of the new welding process against their internal quality standards.

Another example is getting a driver’s license. When a license is renewed, the information on the old license is checked, a new photo is taken, and the new license is issued, after having been validated.  For a new driver, the license examiner also needs to verify that the person can drive a car before a license is issued.  Here, verification means assessing the performance of the driver, not simply validating the process of obtaining a license.

AN R2 FACILITY HAS THE OPTION TO STOP ITS DOWNSTREAM TRACKING AND VERIFICATION AT THE FIRST R2 CERTIFIED DOWNSTREAM VENDOR (R2V3 DSV) UNDER CORE 8.(A)(3) AND APPENDIX A (1).  DOES THE RECYCLING CHAIN HAVE TO BE REGISTERED WITH SERI TO STOP AT THE FIRST R2 CERTIFIED DSV?

In order to stop tracking and verification at the first R2 Certified DSV, the R2 Facility must meet the requirements in Appendix A (4)(b).  This requirement states:

“Register with SERI, the portion of the downstream recycling chain that it manages, including all R2 Controlled Streams to final disposition or the first R2 Facility (R2v3), to enable mapping of the entire chain, and register any changes prior to shipment.”

This option to register the downstream chain with SERI can reduce the number of DSVs in the facility’s recycling chain allowing for more efficient tracking and verification processes.

Register your downstream with SERI.

IF THE DOWNSTREAM CHAIN IS REGISTERED, WILL THAT INFORMATION BE MADE PUBLIC OR VISIBLE TO OTHERS?

No, the information registered with SERI will not be made public. This information is intended to be used by SERI only, for the oversight of the R2 Certification process including the quality review activities.

When a downstream chain is registered, the R2 Facility’s Certification Body will receive an automated notification that the registration has been received, along with some key information including:  the name of the registered flowchart file, the last revision date of the flowchart, and the number of R2 and non-R2 DSVs.  However, the R2 Facility will still need to share the actual downstream flowchart and evidence of registration with SERI, directly with their R2 auditor for review and assessment through the audit process.

HOW OFTEN CAN UPDATES TO THE DOWNSTREAM VENDORS BE MADE WHEN REGISTERING THE DOWNSTREAM CHAIN UNDER APPENDIX A (4)(B)?

There are no limits on the number or frequency of updates to the vendors in the downstream recycling chain. However, the R2 Facility is required to ensure that the downstream chain remains current, including managing any updates or changes PRIOR to any related shipment. As a result, the frequency of downstream chain updates will depend on the number and frequency of downstream changes made by the R2 Facility.

sample downstream recycling flow chart

ARE ALL R2 FACILITIES REQUIRED TO HAVE POLLUTION LIABILITY INSURANCE UNDER R2V3?

No, pollution liability insurance is not a requirement for all R2 Facilities, and therefore it is not included in the R2v3 Core Requirements.

Pollution liability insurance is required for higher risk R2 Facilities, as defined in Appendix A – Downstream Recycling Chain, when the R2 Facility manages ‘negative value’ equipment, component or material streams.

In addition, R2 Facilities certified to Appendix E – Materials Recovery are also required to maintain assurance for environmental incidents which may include pollution liability insurance or other guarantees.

WHY IS POLLUTION LIABILITY INSURANCE REQUIRED FOR R2 FACILITIES THAT HANDLE NEGATIVE VALUE EQUIPMENT, COMPONENTS OR MATERIALS UNDER APPENDIX A (2)(A)?

The requirement for pollution liability insurance is intended to address those R2 Facilities where the potential risk of pollution is greatest, while excluding certain low risk operations.

As a result, the requirement for pollution liability insurance has been placed in the Appendix A – Downstream Recycling Chain and Appendix E – Materials Recovery to apply to those facilities that are processing for material recovery, or otherwise handling negative value items, which incur a cost to manage.