Assurance processes for software erasure

• Date released: 12 March 2026
• Request number: 202602073
• Release of information under: Freedom of Information Act 2000 (FOIA)

Information requested

Under the Freedom of Information Act 2000, please provide the following recorded information held by your department regarding assurance processes for software based data erasure of end of life IT equipment.

For clarity, this request relates solely to software based data destruction. Please exclude physical destruction methods such as shredding, crushing, degaussing or disintegration.

1. Please confirm whether departmental policy, contractual terms or internal procedures require an explicit outcome based warranty or guarantee confirming that personal data has been rendered irretrievable through software based erasure, whether carried out internally or by an external provider.
2. Where software based data destruction is performed internally, what recorded evidential assurance does the department rely upon to conclude that the final data state is irretrievable?
3. Where software based data destruction is performed by a third party provider, does the department hold recorded information demonstrating that any warranty or assurance provided explicitly extends to the software erasure method used and its claimed effectiveness? If so, please confirm the recorded nature of that verification.
4. Where no explicit outcome based warranty is required or provided, what recorded form of evidential assurance does the department rely upon to conclude that software based erasure has rendered personal data irretrievable?

I am not requesting technical configuration detail, security sensitive information or supplier specific vulnerabilities. I am seeking confirmation of the assurance model relied upon for software based data destruction.

Information released

I confirm that under s.1  of the FOIA, we hold some of the information you have requested. Please see below for a response to each of your questions in turn. 

Please confirm whether departmental policy, contractual terms or internal procedures require an explicit outcome-based warranty or guarantee confirming that personal data has been rendered irretrievable through software-based erasure, whether carried out internally or by an external provider.

I can confirm that we have an ONR Policy for Information Disposal and Destruction which sets out our departmental policy, this is also covered in our supplier's contract clauses and in the Crown Commercial Services security schedules where applicable.   

Guidance for organisations on how to choose, configure and use devices securely from the National Cyber Security Centre (NCSC) can be found at the following link:

• Erasing devices - Device security guidance | National Cyber Security Centre  

For the Crown Commercial Services contract clauses please see the following link:

• RM6098 - Call-Off Schedule 9 (Security)

Where software-based data destruction is performed internally, what recorded evidential assurance does the department rely upon to conclude that the final data state is irretrievable?

I can confirm that software-based data destruction is carried out based on the guidance in our Policy which is based on advice from the NCSC. The solution we use restores the device to its factory settings, erasing all data, apps and settings. This action is logged in the admin centre which allows administrators to track the process and ensures that the device has been securely wiped. 

Where software-based data destruction is performed by a third-party provider, does the department hold recorded information demonstrating that any warranty or assurance provided explicitly extends to the software erasure method used and its claimed effectiveness? If so, please confirm the recorded nature of that verification.

I can confirm that our third-party provider has shared the processes and procedures which they follow for secure disposal, this includes the use of a third-party software product that was assured under the previous NCSC commercial product assessment scheme. As part of the process outcome, we are provided with destruction certificates.

Where no explicit outcome-based warranty is required or provided, what recorded form of evidential assurance does the department rely upon to conclude that software-based erasure has rendered personal data irretrievable?

Not Applicable. 

Exemption(s) applied:

None

Public Interest Test (PIT):

N/A