Purpose: Define a practical, audit-ready Chain of Custody (CoC) process for electronics recycling and ITAD operations. This SOP ensures every asset and data-bearing device is tracked from intake to final disposition, with complete records, signatures, and tamper-evident controls.

Scope: Applies to all incoming assets (loose or palletized), especially data-bearing media (HDD/SSD/NVMe, mobile devices, tapes, removable media). Covers in-house handling and transfers to downstream vendors.

Outcomes:

• Verifiable custody history for each asset or package.
• Clear accountability at each handoff.
• Evidence of data protection and compliance suitable for audits.

---

1) Roles & Responsibilities

• Receiver (Intake Technician): Creates intake record, applies asset/lot IDs, photographs condition, affixes tamper seals for data-bearing packages, initiates CoC Log entry.
• Custodian (Operations Lead or Cage Custodian): Controls access to secure areas, verifies seal integrity at each movement, signs custody transfers, approves exceptions.
• Transporter (Internal Driver or Courier Liaison): Verifies counts, seal numbers, and documentation before transport; obtains signatures at pickup and delivery.
• Data Team (Sanitization/Destruction Technicians): Updates CoC Log with wipe/destroy results, serials, QA verification, and exceptions.
• Compliance (Quality/Compliance Manager): Performs periodic reconciliation, spot audits, and record retention; maintains approved downstream list.

Tip: Maintain a simple RACI matrix in your SOP binder to avoid confusion during audits.

---

2) Definitions (keep them simple)

• Chain of Custody (CoC): Continuous documented control of assets/media from receipt to final disposition.
• Lot ID: Unique identifier for a group of items received together (e.g., shipment or pallet).
• Asset ID: Unique identifier for a single device/unit.
• Tamper-evident seal: Numbered seal that, once broken, cannot be reapplied without evidence of tampering.
• Exception: Any deviation from expected condition, count, or procedure (e.g., broken seal, mismatch, unknown device).
• Final Disposition: Reuse/resale, material recovery, or certified destruction.

---

3) Required Records & Tools

• CoC Log: Central record tracking lot/asset IDs, locations, handlers, timestamps, seal numbers, and signatures.
• Intake Form: Shipper details, counts, weight, photos, condition notes, hazards.
• Sanitization/Destruction Records: Method, tool/version, serial numbers, verification results, technician & QA sign-off.
• Transfer Form: Handoff documentation for internal moves and outbound shipments.
• Exception/Incident Form: Description, immediate actions, CAPA reference.
• Secure Storage: Lockable cage or room with restricted access; access log (badge or manual).
• Seals & Labels: Pre-numbered tamper seals; durable asset/lot labels; barcode/QR preferred.
• Scales & Cameras: For weights and photographic evidence at intake and outbound.

---

4) End-to-End Process Flow

Step A — Pre-Receipt (Scheduling & Risk Prep)

1. Schedule & Pre-profile: Capture client name, pickup/delivery method, expected item classes, estimated counts/weights, special requirements (encrypted media, client seals).
2. Prepare IDs & Materials: Pre-print Lot IDs, confirm seal inventory, stage Intake Forms, and ensure secure storage capacity.
3. Assign Staff: Receiver, Custodian, and Transporter designated for the job.

Step B — Intake (Receiving & Lot Creation)

1. Receive Shipment: Verify shipper identity and Bill of Lading against schedule.
2. Initial Inspection: Check pallets/containers for damage; photograph overall shipment.
3. Create Lot: Assign a Lot ID; affix Lot label to pallet(s)/container(s).
4. Count & Weigh: Record total counts and/or weight per pallet/container; note discrepancies.
5. Seal Status:
   • If shipment arrived sealed: record seal numbers & condition; photograph seals.
   • If unsealed or mixed: apply new seals to each container holding data-bearing devices.
6. Intake Form: Document shipper, Lot ID, arrival time, receiver name and signature, condition notes, photos taken (reference numbers if you use a photo log).
7. CoC Log Entry (Start): Create the initial CoC Log record for the Lot ID with date/time, receiver, location, and (if applicable) seal numbers.

Tip: If you receive loose items, group data-bearing devices into bins and immediately seal those bins; record the seal numbers in the CoC Log.

Step C — Secure Storage (Access Control)

1. Move to Secure Area: Transport the sealed pallets/bins to the secure cage/room.
2. Sign Handoff: Receiver → Custodian handoff recorded in the CoC Log with both signatures, date/time, and location change.
3. Access Control: Only authorized staff may access; each entry/exit is logged (badge or manual) and tied to Lot/Asset activities.

Step D — Internal Transfers (Within Facility)

1. Request Move: When assets move (e.g., cage → data wipe room), generate a Transfer Form including Lot ID, destination, purpose, planned start/end times.
2. Verify Seals: Custodian checks seal numbers and integrity before release; record in CoC Log.
3. Signatures: Custodian (releasing) and receiving technician sign the transfer with timestamps.
4. Upon Arrival: Receiving technician confirms counts, seal integrity, and updates the CoC Log.

Step E — Processing (Data Protection at the Core)

1. De-sealing & Open: Only at the point of processing. Record seal break with number, date/time, and technician signature.
2. Identify & Label Assets:
   • Assign Asset IDs to each device/media.
   • Capture serial numbers (scan when possible).
3. Sanitization or Destruction:
   • Record method (e.g., software wipe, degauss, shred), tool/version, settings, result (pass/fail).
   • For wipes: record verification step/results; for destruction: record particle size or cut class if applicable.
4. QA Check: A second person (QA) verifies a sample or 100% as required; signs off with date/time.
5. Update CoC Log: Link each Asset ID to the Lot ID, record processing details and outcomes.

Important: If a device cannot be wiped (SMART errors, unsupported interface), quarantine it in sealed container → document exception → route for physical destruction → update records.

Step F — Consolidation & Outbound (Downstream Transfers)

1. Package for Outbound: Group processed assets by disposition (e.g., resale, material recovery). Assign Outbound Package IDs and apply tamper seals.
2. Prepare Documentation: Outbound Transfer Form includes Lot IDs, Asset/Package IDs, counts/weights, seal numbers, destination, carrier, pickup time.
3. Custody Transfer at Dispatch: Custodian verifies counts and seals; Transporter signs to accept custody. CoC Log updated with date/time, names, and destination.
4. Proof of Delivery: On receipt, downstream or warehouse signs Delivery section with date/time, condition notes, and seal verification. Obtain copy (scan/photo) for records.

Step G — Final Disposition & Closeout

1. Record Final Disposition: For each Asset/Package ID, record resale ticket, destruction certificate reference, or material recovery ticket.
2. Reconciliation: Compliance reviews the CoC Log against intake counts and outbound records; resolve any deltas.
3. Close Lot: Mark Lot as “Closed” with date, reviewer name, and any CAPA references for exceptions.

---

5) Exception Handling (What Auditors Look For)

Common Exceptions & Actions:

• Broken or Missing Seal: Immediately quarantine; photograph; assign new seal; record as exception with time, person, and location. Initiate CAPA (root cause, corrective & preventive actions).
• Count Mismatch: Recount; reconcile against intake/outbound docs; note root cause (mis-sort, mis-scan). Update CoC Log and issue CAPA if systemic.
• Unknown Devices/Media: Tag “Unknown,” quarantine; investigate origin (Lot linkage). If unresolved, treat as highest risk (data-bearing) and process accordingly.
• Process Fail (Wipe Fail): Record failure reason; transfer to destruction with new sealed container; update records.

Nonconformity Triggers: Missing signatures, absent seal numbers, handoffs without timestamps, or incomplete serial tracking for data-bearing devices. Your SOP should require immediate correction and documented CAPA.

---

6) Recordkeeping & Retention

• CoC Logs, Intake Forms, Transfer Forms, Exception/CAPA, Sanitization/Destruction Records, Proof of Delivery: Retain for the period your certification or contracts require (often 3–7 years).
• Format: Electronic system preferred (exportable CSV/PDF). If paper, scan to PDF and index by Lot ID.
• Indexing Rules: File by Year → Client → Lot ID, with cross-references to Asset IDs and Outbound Package IDs.

---

7) Physical Controls & Security Notes

• Segregation: Separate data-bearing from non-data-bearing at intake; different color labels help.
• Signage: Post access rules at secure areas; include “No unauthorized entry,” “No personal devices,” and camera policies.
• CCTV Coverage: Entrances to secure areas, processing stations, and shipping bays. Store footage per policy.
• Tool Control: Only approved wiping tools; versions and hashes recorded in the Sanitization Record.
• Training: Annual training on CoC, seals, exceptions, and documentation; keep rosters and quizzes.

---

8) Audit-Ready Tips (Make Your Records Self-Explanatory)

• Consistent Timestamps: Use 24-hour format with timezone; devices should be time-synced.
• Readable Signatures: Pair signatures with printed names and employee IDs.
• Photo Evidence: Photograph seals at intake and outbound; include the seal number visible in frame.
• Unique IDs Everywhere: Lot ID, Asset ID, Package ID are never reused; barcode/QR reduce errors.
• Spot-Checks: Weekly mini-audits: pick a Lot, walk from intake photo → CoC Log → sanitization record → outbound proof. Fix gaps immediately.

---

9) Templates (Copy & paste into your forms system)

A) Chain of Custody Log (Core Fields)

• Lot ID
• Asset ID (or “Package ID” for bulk)
• Item description (device/media type, model)
• Serial number (for data-bearing items)
• Seal number(s) applied/verified
• Location (from → to)
• Handler name & signature (releasing)
• Handler name & signature (receiving)
• Date & time (handoff)
• Purpose of transfer (intake, storage, processing, outbound)
• Notes/Exceptions (reference Exception ID if applicable)

B) Intake Form (Shipment)

• Client/shipper name
• Arrival date/time
• Bill of Lading / reference
• Lot ID(s) assigned
• Counts & weights by pallet/container
• Visual condition notes + photo references
• Seal numbers observed (if any)
• Receiver name & signature

C) Transfer Form (Internal/Outbound)

• From location → To location
• Lot/Package/Asset IDs included
• Count/weight
• Seal numbers verified/applied
• Releasing person (name, signature, timestamp)
• Receiving person (name, signature, timestamp)
• Carrier details (for outbound)
• Delivery confirmation section (signature, timestamp, seal status, condition notes)

D) Sanitization/Destruction Record

• Asset ID, serial number
• Method (wipe/degauss/shred), tool & version, settings
• Result (pass/fail) + verification results
• Technician name & signature + timestamp
• QA reviewer name & signature + timestamp

E) Exception/Incident Report

• Exception ID
• Date/time, location
• Lot/Asset/Package ID(s)
• Description (e.g., broken seal, count mismatch)
• Immediate containment actions
• Root cause analysis (once known)
• Corrective actions taken
• Preventive actions planned
• Responsible person & due dates
• Closure date & approver signature

---

10) Daily/Weekly Controls (Simple Routine That Works)

Daily:

• Reconcile previous day’s handoffs (are signatures and timestamps complete?).
• Verify seal stock and log usage; investigate any gaps in seal number sequences.
• Check cage access log vs. CoC activity.

Weekly:

• Perform a start-to-finish trace on one closed Lot and one active Lot.
• Calibrate scales if used for billing/weights.
• Review exceptions—close open items or escalate CAPA.

Monthly:

• Audit 10% sample of sanitization records against the CoC Log and device serials.
• Review training needs and update roster.
• Validate that record retention and indexing are current.

---

11) What Makes Auditors Confident (and Where They Fail Findings)

Confidence Builders:

• Every handoff has two signatures and a clear location change.
• Seal numbers are always present, legible, and match photos.
• Serial numbers for all data-bearing media are captured and tied to outcomes.
• Exceptions are documented quickly with CAPA showing real preventive steps.

Common Findings:

• Missing timestamps or illegible signatures.
• Seals recorded at application but not verified at receipt.
• Wipe logs without tool version or verification step.
• Transfer forms used inconsistently between departments.

---

12) Version Control & Training

• SOP Version: Include version number, effective date, and next review date on the first page.
• Change Log: Brief table of revisions (what changed, who approved, date).
• Training: New hires trained before handling assets; refresher annually; keep sign-in sheets and quiz results.

---

Final Notes

An auditor-trusted chain of custody is mostly about clarity and consistency. If a third party can understand your records without asking you questions, you’ve done it right. Keep the process simple, seal what matters, sign every handoff, record every step, and reconcile often. Your CoC will hold up—during audits and when it matters most.