RFI 120: Software Based Data Destruction Assurance
Updated 27 April 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/foi-responses-released-by-the-ssro-2026/rfi-120-software-based-data-destruction-assurance
RE: Freedom of information request - Software Based Data Destruction Assurance
Thank you for your email received on 13 February 2026 in which you requested information which we have considered under the Freedom of Information Act 2000 (the FOI Act).
Please find the answers to your questions in your initial email below.
1. Please confirm whether departmental policy, contractual terms or internal procedures require an explicit outcome based warranty or guarantee confirming that personal data has been rendered irretrievable through software based erasure, whether carried out internally or by an external provider.
In these cases we don’t require an outcome based warranty or guarantee. We require all hardware or media that is at end of life and holds data to be dealt with in accordance with HMG Information Assurance Standard No. 5 – Secure Sanitisation. When undertaken by an external provider we require the relevant certification for this and a Certified Data Security Report to be provided for each device.
2. Where software based data destruction is performed internally, what recorded evidential assurance does the department rely upon to conclude that the final data state is irretrievable?
We do not undertake software based data destruction internally, we do not have the facilities for this.
3. Where software based data destruction is performed by a third party provider, does the department hold recorded information demonstrating that any warranty or assurance provided explicitly extends to the software erasure method used and its claimed effectiveness? If so, please confirm the recorded nature of that verification.
The software based data destruction is arranged through our ITMS provider and included within the contract with them. We confirm in advance that the data destruction will be performed and certified onsite to HMG Information Assurance Standard No. 5 – Secure Sanitisation.
4. Where no explicit outcome based warranty is required or provided, what recorded form of evidential assurance does the department rely upon to conclude that software based erasure has rendered personal data irretrievable?
The Certified Data Security Report verifies that the process has been successful and the standard of the data destruction performed, e.g. NIST Purge/Clear. These are digitally signed. In cases where the software data erasure cannot be performed, or fails, a physical destruction method is used. This will also be supported by a data erasure report and digital certificate.
If you are dissatisfied with the handling of your request, you have the right to ask for an internal review. Internal review requests should be submitted within two months of the date of receipt of the response to your original request and should be addressed to: John Russell, c/o Enquiries, enquiries@ssro.gov.uk.
If you are not content with the outcome of the internal review, you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or via their website.
Kind regards,
Enquiries Single Source Regulations Office G51/G52 100 Parliament Street London SW1A 2BQ