← Blog ·

Data destruction standards explained: NCSC, NIST 800-88, and HMG IA Policy No.5

Data destruction standards are published frameworks that define the methods, parameters, and verification requirements for permanently sanitising storage media. The key standards relevant to UK organisations are NIST Special Publication 800-88 (used internationally), the National Cyber Security Centre's secure sanitisation guidance, and HMG IA Policy No.5 (for government-classified information) — and knowing which applies to your situation is fundamental to demonstrating compliance under UK GDPR.

Why standards matter

Saying that data has been “destroyed” or “wiped” is not sufficient for compliance. UK GDPR’s accountability principle requires organisations to demonstrate compliance, not just assert it. That means being able to point to a specific, recognised standard that was applied, and to a verification record showing the standard was met.

Standards serve a second purpose: they resolve technical ambiguity. Questions such as how many overwrite passes are needed, which commands to use for SSD sanitisation, and what fragment size is required for shredded magnetic media — all of these have specific answers within recognised frameworks. Following a standard removes guesswork and gives auditors and regulators a common reference point.

For a broader introduction to the data destruction process, see our guide to what is secure data destruction.

NIST Special Publication 800-88 (Guidelines for Media Sanitisation)

NIST SP 800-88 is published by the National Institute of Standards and Technology in the United States and is the most widely cited international standard for media sanitisation. It is used extensively by UK private sector organisations and ITAD providers, and it is referenced by the ICO in its guidance on data deletion.

The three sanitisation levels

NIST SP 800-88 defines three levels of sanitisation:

Clear: Applies logical techniques to sanitise data in all user-addressable storage locations. For an HDD, this means overwriting the entire drive. For an SSD, it means using the ATA Secure Erase or NVMe Sanitise command. Clear is appropriate for media being reused within the same security domain.

Purge: Applies more rigorous techniques that render recovery infeasible even with state-of-the-art laboratory methods. For SSDs, Purge requires Secure Erase with an Enhanced Security Erase option, or NVMe Sanitise (Overwrite or Block Erase). For magnetic drives, Secure Erase or degaussing achieves Purge level. This is the level required for media leaving an organisation’s control.

Destroy: Physical destruction of the media. Disintegration, shredding, or incineration to the point where the storage medium cannot function as such. For highly sensitive data or end-of-life media with no residual value, physical destruction provides the strongest assurance.

Key points from NIST SP 800-88

  • A single overwrite pass is sufficient for modern drives. Multiple passes (seven, 35) are not required and are not recommended for contemporary media.
  • Degaussing achieves Purge level for magnetic drives but is completely ineffective for SSDs and flash memory.
  • All sanitisation activities should be documented, including the method, the tool used, the media identifier, and the person who performed the sanitisation.
  • The standard includes decision trees for selecting the appropriate sanitisation level by media type.

NCSC secure sanitisation guidance

The National Cyber Security Centre (NCSC) publishes guidance on secure sanitisation of storage media aimed at UK organisations, including businesses and public sector bodies. The NCSC guidance is broadly aligned with NIST SP 800-88 but uses UK terminology and is framed around the UK government’s security classification scheme.

Key points from NCSC guidance include:

  • Different sanitisation methods are appropriate for different media types. SSDs and flash memory cannot be degaussed and require firmware-level commands or physical destruction.
  • Physical destruction should render media unrecoverable to a level appropriate for the classification of data held.
  • Organisations should keep records of sanitisation activity, including the media identifier, method, date, and operator.
  • Where a product or service is used, organisations should be confident that it implements the required standard correctly — not simply accept marketing claims at face value.

The NCSC does not operate a formal product approval scheme for commercial ITAD services, but it does publish lists of assured products and services in relevant assurance programmes that organisations may wish to consult.

HMG IA Policy No.5 (Secure Sanitisation of Protectively Marked or Sensitive Information)

HMG IA Policy No.5 is a UK government policy that sets mandatory requirements for the sanitisation of media holding government-classified information (OFFICIAL, SECRET, and TOP SECRET under the Government Security Classifications). It specifies:

  • Required sanitisation methods for each classification level
  • Particle size requirements for physical destruction (expressed as maximum dimensions for shredded fragments)
  • Overwrite parameters for software sanitisation
  • Requirements for degaussing equipment

HMG IA Policy No.5 applies directly to government departments, agencies, and contractors handling classified information. For organisations that hold government contracts or process data classified under the scheme, the policy requirements are mandatory, not advisory.

The specific values — overwrite passes, particle sizes, degausser field strengths — are set out in the policy document, which is published by the Cabinet Office (see the NCSC secure sanitisation guidance at ncsc.gov.uk for current technical requirements).

Other relevant standards

ICO guidance on data deletion

The Information Commissioner’s Office publishes guidance on the secure deletion of personal data. It does not prescribe specific technical standards but expects organisations to follow recognised best practice, which in the UK context means NCSC guidance or NIST SP 800-88.

ISO/IEC 27001 and 27040

ISO/IEC 27001 (information security management systems) includes controls relating to media disposal, and ISO/IEC 27040 addresses storage security, including sanitisation. Organisations certified to ISO 27001 are expected to have documented and implemented media disposal procedures.

BS EN 15713 (Secure Destruction of Confidential Material)

This British Standard covers the secure destruction of confidential material, including procedures for mobile and off-site destruction services. It specifies particle sizes for different security grades and is relevant to providers of physical shredding services.

Which standard applies to your business?

Organisation type Applicable standard(s)
Private sector — personal data under UK GDPR NIST SP 800-88 and/or NCSC guidance
Public sector — government data NCSC guidance + HMG IA Policy No.5
Government contractor — classified data HMG IA Policy No.5 (mandatory)
ISO 27001 certified ISO 27001 Annex A + NIST SP 800-88 / NCSC
Healthcare (NHS) DSPT requirements + NCSC guidance
Financial services (FCA regulated) FCA operational resilience + NIST SP 800-88

For most UK businesses, NIST SP 800-88 applied by a certified ITAD provider, with NCSC guidance as the UK-specific reference, is the appropriate framework. The certificate of data destruction issued by the provider should name the standard applied.

For more on how these standards apply in practice, see our guide to data wiping vs shredding vs degaussing.

Recycle4Charity provides certified data destruction for London businesses, applying recognised standards and issuing a certificate of data destruction for every collection. Visit our data destruction for business page to find out more, or contact us to discuss your specific compliance requirements.

Blog

Frequently asked questions

NIST SP 800-88 is a US government publication on media sanitisation that has been widely adopted internationally as a reference standard. It applies in the UK in the sense that the ICO and many UK regulators recognise it as best practice, and most UK ITAD providers use it as their technical benchmark. UK-specific obligations are primarily set by the NCSC and, for government data, HMG IA Policy No.5.

NIST SP 800-88 specifies that a single overwrite pass is sufficient for modern hard drives, provided verification confirms every sector was addressed. The recommendation for multiple passes (seven or 35) comes from older standards and is not required for drives manufactured after the late 1990s.

HMG IA Policy No.5 applies directly to government departments and their contractors handling classified information. Private sector organisations without government contracts are not bound by it, but those in regulated sectors may be required to meet equivalent standards by sector-specific regulation.

For most businesses, NIST SP 800-88 "Purge" level for media leaving your organisation is appropriate, applied using certified software for wiping or industrial shredding for physical destruction. Ask the provider to name the specific standard on the certificate of data destruction.

Degaussing is accepted by NIST SP 800-88 and NCSC guidance as a Purge-level method for magnetic hard drives and tapes. It is not accepted for SSDs or flash memory, where it has no effect. HMG IA Policy No.5 specifies degausser field strength requirements for classified media. Always confirm the media type before selecting degaussing as a method.

Need secure IT disposal in London?

Certified data destruction and WEEE recycling — with refurbished devices going to people who need them.