Recorded Assurance
Case reference FOI2026/00526
Received 6 March 2026
Published 13 April 2026
Request
This is a further Freedom of Information request. You have explained that internal software-based wiping relies on confirmation from the relevant software as observed by the individual conducting the erasure, and that this confirmation is not recorded as evidence.
1. Please confirm whether the Council holds any recorded information explaining the basis on which visual confirmation of software completion is considered sufficient to conclude that personal data on the storage media has been rendered irrecoverable in practice.
Separately, you state that data sanitisation certificates are contractually required from the Council’s IT disposal partner, but that wiping is not specifically proven through the Council’s own processes.
2. Please confirm whether the Council holds any recorded information demonstrating that these certificates constitute verification of the effectiveness of the erasure outcome, rather than confirmation that a wiping processor tool was used.
Finally, where disposal decisions consider factors such as whether disk encryption was previously in place --
3. Please confirm whether the Council holds any recorded information describing the basis on which encryption is considered sufficient assurance that residual data on the storage media would be irrecoverable if software erasure were incomplete.
I am not requesting technical configuration detail, only clarification of the recorded assurance framework relied upon when concluding that personal data has been rendered irrecoverable.
Response
This is a further Freedom of Information request. You have explained that internal software-based wiping relies on confirmation from the relevant software as observed by the individual conducting the erasure, and that this confirmation is not recorded as evidence.
1. Please confirm whether the Council holds any recorded information explaining the basis on which visual confirmation of software completion is considered sufficient to conclude that personal data on the storage media has been rendered irrecoverable in practice.
The council does not hold any recorded information explaining the basis on which visual confirmation by ICT personnel of data sanitisation completion is considered sufficient. The process for completion and confirmation of data sanitisation was verbally discussed and agreed between appropriate stakeholders.
Separately, you state that data sanitisation certificates are contractually required from the Council’s IT disposal partner, but that wiping is not specifically proven through the Council’s own processes.
2. Please confirm whether the Council holds any recorded information demonstrating that these certificates constitute verification of the effectiveness of the erasure outcome, rather than confirmation that a wiping processor tool was used.
We understand you are seeking recorded information held by the council that confirms any verification process that would be performed following the execution of data sanitisation processes by our IT disposal partner, to verify the software wipe was successful.
Due to the range of potential hardware, and associated wipe software/processes that may be required as part of IT hardware disposal, flexibility built into the disposal process means we have not been able to identify any policy, process or assessment meeting your request.
The council’s current IT disposal contract requires that data-capable hardware be “securely wiped wherever possible with multiple passes by industry recommended tools (such as Blancco)”. Industry standards for data wiping such as NIST SP 800-88 and DoD 5220.22-M require verification to be performed by the software before a wipe can be considered successful. A single defined standard was not included in the IT disposal contract, to provide flexibility for the council’s IT department to agree the most suitable wiping approach with the IT disposal partner when disposing of devices. This was particularly considered necessary for dedicated appliances or devices with embedded storage chips, where industry standard software may not be compatible.
The IT disposal contract further requires that “Where it is not possible to securely wipe the asset, the storage component of the asset will be destroyed and processed for recycling.”.
The most recent Data Destruction Certificate received from our IT disposal partner stated: “This is to confirm the following Data Storage Devices have been certified as erased of all data by either software (in line with HMG Infosec Standard No: 5 as mandated by the National Cyber Security Centre (NCSC)), Degaussing or physical destruction (Granulation, Thermal Destruction)”.
Finally, where disposal decisions consider factors such as whether disk encryption was previously in place --
3. Please confirm whether the Council holds any recorded information describing the basis on which encryption is considered sufficient assurance that residual data on the storage media would be irrecoverable if software erasure were incomplete.
We understand you are seeking recorded information held by the council that describes the basis on which encryption is considered sufficient assurance in the event that a wipe is either not performed or is incorrectly reported as successful.
The council does not consider encryption alone to be sufficient. A successful erasure is always sought where data capable hardware is not being destroyed. The council’s IT disposal contract currently requires that “Where it is not possible to securely wipe the asset, the storage component of the asset will be destroyed and processed for recycling.”.
The council has not been able to identify any recorded information describing the basis for encryption mitigating the risk of data recovery in the event of data sanitisation software confirming success incorrectly.
Documents
This is Guildford Council's response to a freedom of information (FOI) or environmental information regulations (EIR) request.
You can browse our other responses or make a new FOI request.