Thank you for your request for information about the following:
Request
Under the Freedom of Information Act 2000, please provide the following recorded information held by your organisation regarding assurance processes for software based data erasure of end of life IT equipment.
For clarity, this request relates specifically to the erasure of storage media associated with end of life hardware such as laptops, desktops, servers, storage arrays, or other data bearing IT equipment. It does not relate to operational deletion of data within live systems, routine account management, or DSP Toolkit self assessment processes.
Physical destruction methods such as shredding, crushing, degaussing, or disintegration are outside the scope of this request. This request concerns software based erasure only.
This request seeks to distinguish between confirmation that an erasure process was carried out and recorded evidence demonstrating that the final data state of a specific storage device is irrecoverable. I am not seeking technical configuration detail or security sensitive information, only the recorded assurance basis relied upon when concluding that personal data has been rendered irrecoverable.
Please confirm:
1) Whether your organisation’s policies, contractual terms, or internal procedures require an explicit outcome based warranty or guarantee that personal data on a specific storage device has been rendered irrecoverable as a final data state following software based erasure.
2) Where software based erasure of storage media is undertaken internally, what recorded evidential assurance is relied upon to conclude that the final data state of the specific storage device is irrecoverable, as distinct from confirmation that an erasure process was executed.
3) Where software based erasure is undertaken by a third party provider:
a. Do the certificates or contractual documents held constitute an explicit outcomebased warranty or guarantee of irrecoverability for each specific storage device processed?
b. Beyond reliance on supplier accreditation or recognised standards including but not limited to ADISA certification, ISO accreditation, NIST alignment, HMG IA standards, NHS Digital guidance, or Data Security and Protection Toolkit assertions, and beyond confirmation that a wiping process was completed, does the organisation hold any recorded, device specific documentation evidencing independent verification, testing, or validation that the data on the storage media has been rendered irrecoverable in practice?
4) If no explicit outcome based warranty or device specific outcome evidence is held beyond certification, accreditation, or confirmation of process completion, please confirm what recorded form of evidential assurance is relied upon when concluding that personal data has been rendered irrecoverable.
The NHS Business Services Authority (NHSBSA) received your request on 4 March 2026.
We have handled your request under the Freedom of Information Act 2000 (FOIA).
Our response
Question 1 - Whether your organisation’s policies, contractual terms, or internal procedures require an explicit outcome based warranty or guarantee that personal data on a specific storage device has been rendered irrecoverable as a final data state following software based erasure.
The NHSBSA contracts a third-party supplier for the provision of our IT Asset Disposition (ITAD). Our contractual terms with our ITAD supplier ensures these activities are completed and evidenced.
Question 2 - Where software based erasure of storage media is undertaken internally, what recorded evidential assurance is relied upon to conclude that the final data state of the specific storage device is irrecoverable, as distinct from confirmation that an erasure process was executed.
I have established that the information you requested is not held by the NHSBSA. This is because the NHSBSA does not carry this out internally.
Question 3 - Where software based erasure is undertaken by a third party provider:
Question 3a - Do the certificates or contractual documents held constitute an explicit outcome based warranty or guarantee of irrecoverability for each specific storage device processed?
Yes they do - depending upon media, devices are contractually erased to HMG Infosec Standard 5, Lower Standard or NIST 800-88 Clear – with disposal via shredding then smelting. No organisational data is stored locally on devices.
Question 3b - Beyond reliance on supplier accreditation or recognised standards including but not limited to ADISA certification, ISO accreditation, NIST alignment, HMG IA standards, NHS Digital guidance, or Data Security and Protection Toolkit assertions, and beyond confirmation that a wiping process was completed, does the organisation hold any recorded, device specific documentation evidencing independent verification, testing, or validation that the data on the storage media has been rendered irrecoverable in practice?
I have established that the information you requested is not held by the NHSBSA. This is because the acceptance of the external certification is sufficient for our requirements.
Question 4 - If no explicit outcome based warranty or device specific outcome evidence is held beyond certification, accreditation, or confirmation of process completion, please confirm what recorded form of evidential assurance is relied upon when concluding that personal data has been rendered irrecoverable.
There is no recorded form of evidential assurance as no personal data is stored on individual devices.
Data Queries
Please contact foirequests@nhsbsa.nhs.uk ensuring you quote the above reference if you have any specific questions regarding this response; or, if you feel you may be misunderstanding or misinterpreting the information; or, if you plan on publishing the data.
Reusing the data and copyright
If you plan on producing a press or broadcast story based upon the data please contact communicationsteam@nhsbsa.nhs.uk. This is important to ensure that the figures are not misunderstood or misrepresented.
The information supplied to you continues to be protected by the Copyright, Designs and Patents Act 1988 and is subject to NHSBSA copyright. This information is licenced under the terms of the Open Government Licence detailed at:
http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/
Should you wish to re-use the information you must include the following statement: “NHSBSA Copyright 2026”. Failure to do so is a breach of the terms of the licence.
Information you receive which is not subject to NHSBSA Copyright continues to be protected by the copyright of the person, or organisation, from which the information originated. Please obtain their permission before reproducing any third party (non NHSBSA Copyright) information.
![[Open Data]](/base/images/od_80x15_blue.png)