Ohio SB 29 ITAD Checklist for K-12 Device Disposal
Published by TD Team on
24 March 2025
New laws and student-data expectations are changing how K-12 districts think about education technology, device refreshes, and IT asset disposition. Ohio Senate Bill 29 is one of the clearest examples: it focuses on education records and student data privacy, but the practical work does not stop with software contracts. District IT teams also need a defensible process for retiring Chromebooks, laptops, tablets, drives, and other devices that may contain student, staff, network, or operational data.
For Ohio schools, SB 29 should be treated as a prompt to tighten documentation around device retirement, data sanitization, vendor handoffs, certificates of data destruction, and chain-of-custody records. This checklist explains what district technology leaders should review before retired devices leave district control.
Quick answer: Ohio SB 29 is primarily about education records and student data privacy. It does not read like an ITAD statute, but it raises the stakes for how K-12 districts document technology providers, student data, and retired device workflows. A district that retires devices should be able to show what was collected, how data-bearing assets were handled, who had custody, what was wiped or destroyed, and what final documentation was returned.
New Laws Are Making IT Asset Disposition a K-12 Compliance Issue
School districts have always needed a practical way to retire technology. What is changing is the level of documentation expected around student data, third-party providers, and device lifecycle decisions. When a district refreshes devices, sells older equipment, recycles damaged hardware, or sends assets to a vendor, the compliance question becomes simple: can the district prove what happened?
That is where IT asset disposition matters. ITAD is the controlled process for collecting, tracking, sanitizing, refurbishing, remarketing, recycling, or destroying retired technology. For K-12 teams, a strong ITAD process helps connect operational work with student-data protection, audit readiness, budget recovery, and responsible reuse.
What Ohio SB 29 Means for School Technology Teams
Ohio SB 29, effective October 24, 2024, addresses education records and student data privacy. The Ohio Legislature summary describes the bill as concerning educational records and student data privacy and notes that it amended or enacted Ohio Revised Code sections tied to those issues. District teams can review the official bill page here: Ohio Senate Bill 29, 135th General Assembly.
The law is not a substitute for district legal counsel, and this article is not legal advice. But from an IT operations standpoint, SB 29 should push districts to ask better questions about any process that touches student data, including device collection, repair workflows, storage media handling, disposal, resale, recycling, and vendor documentation.
| SB 29 Concern | Device Retirement Risk | ITAD Control to Review |
|---|---|---|
| Student data privacy | Retired devices may still contain local files, browser data, cached credentials, application data, or user profiles. | Documented data sanitization or physical destruction for data-bearing assets. |
| Technology provider oversight | A disposal, repair, resale, or logistics vendor may handle assets after they leave district facilities. | Vendor documentation, custody records, service scope, and final reporting expectations. |
| Education records governance | Devices can contain data tied to students, staff, classrooms, applications, or district operations. | Asset-level intake, exception reporting, and proof that data-bearing devices were handled correctly. |
| Audit readiness | Bulk recycling receipts may not prove what happened to each device or storage component. | Chain of custody, certificates, serial-level reports, and final disposition records. |
SB 29 Device Retirement Checklist for Ohio Districts
Before retired devices leave a school building, district technology teams should be able to answer these questions:
- Which devices are being retired, and are they tracked by serial number, asset tag, model, location, or refresh cycle?
- Which devices may contain student data, staff data, application data, credentials, or locally stored files?
- Will devices be redeployed, resold, recycled, harvested for parts, or destroyed?
- Who has custody at each stage: district staff, logistics provider, repair partner, resale partner, recycler, or ITAD provider?
- What data sanitization or destruction method will be used for each asset type?
- Will the district receive a certificate of data destruction or sanitization report?
- How will exceptions be handled for locked devices, missing serials, damaged equipment, failed wipes, missing drives, or assets that cannot be resold?
- Can final reports be separated by school, department, funding source, project, or device refresh?
- Does the provider have relevant certifications and a documented process for secure asset handling?
What District IT Teams Should Document
A strong device retirement file should include more than a pickup receipt. Districts should keep records that show the full path from internal collection through final disposition. That documentation can support security reviews, board questions, public-sector accountability, budget recovery, and internal audits.
| Record Type | What It Should Show | Why It Helps |
|---|---|---|
| Asset inventory | Serial number, asset tag, model, quantity, condition, school location, and project name. | Creates a baseline before assets leave district control. |
| Chain of custody | Pickup, transfer, receiving, processing, and final handoff events. | Shows who handled devices and when. See this guide to ITAD chain of custody. |
| Data handling report | Sanitization, destruction, pass/fail status, method, date, and device identifier. | Connects each data-bearing asset to a documented outcome. |
| Exception report | Locked devices, damaged devices, count discrepancies, failed wipes, missing components, or unresolved assets. | Prevents hidden risk from being buried in bulk totals. |
| Final disposition report | Resold, redeployed, recycled, harvested, destroyed, or returned assets. | Closes the loop for technology, finance, sustainability, and compliance teams. |
SB 29 Is Not Just a Software Contract Issue
Many SB 29 conversations focus on software, apps, and technology provider agreements. That is understandable. But retired devices are part of the same education technology environment. A Chromebook at the end of its lifecycle may still have identifiers, cached files, user traces, enrollment status, management history, or other information that district teams do not want handled casually.
For that reason, K-12 device disposal should be treated as a controlled workflow, not a storage-room cleanup project. Districts should know which assets left, which assets were wiped or destroyed, which assets retained value, and what documentation supports those decisions.
A Practical Refresh Workflow for Ohio Schools
A district device refresh does not need to be complicated, but it does need structure. A practical workflow can look like this:
- Plan the refresh. Group assets by school, grade band, funding source, device type, and expected outcome.
- Freeze the asset list. Export serial numbers, asset tags, device models, management status, and known exceptions.
- Separate data-bearing assets. Identify laptops, Chromebooks, tablets, desktops, servers, drives, and accessories that need special handling.
- Choose the correct disposition path. Some devices may be resold, some recycled, some destroyed, and some retained for parts or spare pools.
- Document custody. Record when assets leave the district, who receives them, and how discrepancies are reported.
- Require final reporting. Ask for asset-level results, data handling outcomes, exception notes, certificates, and value recovery details.
Tech Defenders supports K-12 and institutional refresh projects through education technology services, IT asset recovery services, and enterprise ITAD services that connect logistics, intake, data handling, remarketing, recycling, and reporting.
Questions to Ask an ITAD Provider Before a K-12 Refresh
If your district is reviewing ITAD partners after SB 29, ask questions that reveal how the provider actually handles education technology assets:
- Do you provide serial-level tracking or only bulk recycling totals?
- Can you document pickup, receiving, processing, data handling, and final disposition?
- How do you handle Chromebooks, tablets, drives, servers, and mixed school technology?
- What happens when devices are locked, damaged, missing drives, or missing from the expected inventory?
- Can you separate reporting by building, department, refresh project, or funding source?
- Do you provide certificates of data destruction or data sanitization reports?
- Which certifications support your data security, quality, environmental, and worker-safety controls?
- How do you maximize value recovery while protecting data and documentation requirements?
Where Certifications Fit
Certifications do not replace a district’s own legal, procurement, or policy review. They do, however, help buyers understand whether a provider operates under recognized standards. Tech Defenders lists R2v3, ISO 9001, ISO 14001, and ISO 45001 on its certifications page. For district teams, those certifications should be paired with clear project reporting, chain of custody, and data handling documentation.
FAQ: Ohio SB 29 and School Device Disposal
Does Ohio SB 29 directly regulate IT asset disposition?
SB 29 is focused on education records and student data privacy, not written as a standalone ITAD law. Still, it should make districts more careful about device retirement workflows that may involve student data, third-party providers, data-bearing assets, and final documentation.
What should Ohio schools document when retiring devices?
Districts should document asset identifiers, pickup details, chain of custody, data sanitization or destruction results, exceptions, final disposition, and any certificates returned by the provider.
Do districts need certificates of data destruction?
A certificate of data destruction or sanitization report is a best-practice record for data-bearing assets. It helps show that devices were not merely removed from the building, but processed under a documented data handling workflow.
How does chain of custody help with school device disposal?
Chain of custody shows when devices moved, who handled them, where they were received, how they were processed, and what final outcome was assigned. That matters when districts need to answer board, audit, security, or parent-community questions.
Is recycling enough for old school devices?
Not always. Recycling may be appropriate for damaged or end-of-life equipment, but districts should first confirm data handling, asset tracking, value recovery potential, environmental controls, and documentation. ITAD is broader than recycling because it includes custody, data protection, resale, recovery, and final reporting.
Can retired school devices still have value?
Yes. Some retired Chromebooks, laptops, tablets, and accessories may retain resale or parts value. A documented IT asset recovery process can help districts recover budget while still protecting data and documenting final outcomes.
Planning a K-12 device refresh or disposal project? Tech Defenders helps schools and organizations document retired assets, protect data, recover value, and close the loop with practical reporting.
Contact Tech Defenders to discuss a school device retirement workflow, or learn more about K-12 education technology services.
Note: This article is for operational planning and general information only. It is not legal advice. District teams should review SB 29, Ohio Revised Code requirements, board policies, contracts, insurance requirements, and counsel guidance before making compliance decisions.