Why standards matter
Saying that data has been “destroyed” or “wiped” is not sufficient for compliance. UK GDPR’s accountability principle requires organisations to demonstrate compliance, not just assert it. That means being able to point to a specific, recognised standard that was applied, and to a verification record showing the standard was met.
Standards serve a second purpose: they resolve technical ambiguity. Questions such as how many overwrite passes are needed, which commands to use for SSD sanitisation, and what fragment size is required for shredded magnetic media — all of these have specific answers within recognised frameworks. Following a standard removes guesswork and gives auditors and regulators a common reference point.
For a broader introduction to the data destruction process, see our guide to what is secure data destruction.
NIST Special Publication 800-88 (Guidelines for Media Sanitisation)
NIST SP 800-88 is published by the National Institute of Standards and Technology in the United States and is the most widely cited international standard for media sanitisation. It is used extensively by UK private sector organisations and ITAD providers, and it is referenced by the ICO in its guidance on data deletion.
The three sanitisation levels
NIST SP 800-88 defines three levels of sanitisation:
Clear: Applies logical techniques to sanitise data in all user-addressable storage locations. For an HDD, this means overwriting the entire drive. For an SSD, it means using the ATA Secure Erase or NVMe Sanitise command. Clear is appropriate for media being reused within the same security domain.
Purge: Applies more rigorous techniques that render recovery infeasible even with state-of-the-art laboratory methods. For SSDs, Purge requires Secure Erase with an Enhanced Security Erase option, or NVMe Sanitise (Overwrite or Block Erase). For magnetic drives, Secure Erase or degaussing achieves Purge level. This is the level required for media leaving an organisation’s control.
Destroy: Physical destruction of the media. Disintegration, shredding, or incineration to the point where the storage medium cannot function as such. For highly sensitive data or end-of-life media with no residual value, physical destruction provides the strongest assurance.
Key points from NIST SP 800-88
- A single overwrite pass is sufficient for modern drives. Multiple passes (seven, 35) are not required and are not recommended for contemporary media.
- Degaussing achieves Purge level for magnetic drives but is completely ineffective for SSDs and flash memory.
- All sanitisation activities should be documented, including the method, the tool used, the media identifier, and the person who performed the sanitisation.
- The standard includes decision trees for selecting the appropriate sanitisation level by media type.
NCSC secure sanitisation guidance
The National Cyber Security Centre (NCSC) publishes guidance on secure sanitisation of storage media aimed at UK organisations, including businesses and public sector bodies. The NCSC guidance is broadly aligned with NIST SP 800-88 but uses UK terminology and is framed around the UK government’s security classification scheme.
Key points from NCSC guidance include:
- Different sanitisation methods are appropriate for different media types. SSDs and flash memory cannot be degaussed and require firmware-level commands or physical destruction.
- Physical destruction should render media unrecoverable to a level appropriate for the classification of data held.
- Organisations should keep records of sanitisation activity, including the media identifier, method, date, and operator.
- Where a product or service is used, organisations should be confident that it implements the required standard correctly — not simply accept marketing claims at face value.
The NCSC does not operate a formal product approval scheme for commercial ITAD services, but it does publish lists of assured products and services in relevant assurance programmes that organisations may wish to consult.
HMG IA Policy No.5 (Secure Sanitisation of Protectively Marked or Sensitive Information)
HMG IA Policy No.5 is a UK government policy that sets mandatory requirements for the sanitisation of media holding government-classified information (OFFICIAL, SECRET, and TOP SECRET under the Government Security Classifications). It specifies:
- Required sanitisation methods for each classification level
- Particle size requirements for physical destruction (expressed as maximum dimensions for shredded fragments)
- Overwrite parameters for software sanitisation
- Requirements for degaussing equipment
HMG IA Policy No.5 applies directly to government departments, agencies, and contractors handling classified information. For organisations that hold government contracts or process data classified under the scheme, the policy requirements are mandatory, not advisory.
The specific values — overwrite passes, particle sizes, degausser field strengths — are set out in the policy document, which is published by the Cabinet Office (see the NCSC secure sanitisation guidance at ncsc.gov.uk for current technical requirements).
Other relevant standards
ICO guidance on data deletion
The Information Commissioner’s Office publishes guidance on the secure deletion of personal data. It does not prescribe specific technical standards but expects organisations to follow recognised best practice, which in the UK context means NCSC guidance or NIST SP 800-88.
ISO/IEC 27001 and 27040
ISO/IEC 27001 (information security management systems) includes controls relating to media disposal, and ISO/IEC 27040 addresses storage security, including sanitisation. Organisations certified to ISO 27001 are expected to have documented and implemented media disposal procedures.
BS EN 15713 (Secure Destruction of Confidential Material)
This British Standard covers the secure destruction of confidential material, including procedures for mobile and off-site destruction services. It specifies particle sizes for different security grades and is relevant to providers of physical shredding services.
Which standard applies to your business?
| Organisation type | Applicable standard(s) |
|---|---|
| Private sector — personal data under UK GDPR | NIST SP 800-88 and/or NCSC guidance |
| Public sector — government data | NCSC guidance + HMG IA Policy No.5 |
| Government contractor — classified data | HMG IA Policy No.5 (mandatory) |
| ISO 27001 certified | ISO 27001 Annex A + NIST SP 800-88 / NCSC |
| Healthcare (NHS) | DSPT requirements + NCSC guidance |
| Financial services (FCA regulated) | FCA operational resilience + NIST SP 800-88 |
For most UK businesses, NIST SP 800-88 applied by a certified ITAD provider, with NCSC guidance as the UK-specific reference, is the appropriate framework. The certificate of data destruction issued by the provider should name the standard applied.
For more on how these standards apply in practice, see our guide to data wiping vs shredding vs degaussing.
Recycle4Charity provides certified data destruction for London businesses, applying recognised standards and issuing a certificate of data destruction for every collection. Visit our data destruction for business page to find out more, or contact us to discuss your specific compliance requirements.