Back to index Original on gov.scot

FOI/202600506334 · FOI · unclear

Education Scotland data destruction procedures: FOI release

Published
2026-07-15
Received
2026-02-12
Responded
2026-03-02
Directorate
Topic
Education, Public sector
Exemptions
4

Information requested

Information held by Education Scotland regarding assurance processes for software based data erasure of end of life IT equipment. For clarity, this request relates solely to software based data destruction. Please exclude physical destruction methods such as shredding, crushing, degaussing or disintegration.

1. Whether departmental policy, contractual terms or internal procedures require an explicit outcome‑based warranty or guarantee confirming that personal data has been rendered irretrievable through software‑based erasure, whether carried out internally or by an external provider.

2. Where software‑based data destruction is performed internally, what recorded evidential assurance the department relies upon to conclude that the final data state is irretrievable.

3. Where software‑based data destruction is performed by a third‑party provider, whether the department holds recorded information demonstrating that any warranty or assurance provided explicitly extends to the software erasure method used and its claimed effectiveness, and if so, what the recorded nature of that verification is.

4. Where no explicit outcome‑based warranty is required or provided, what recorded form of evidential assurance the department relies upon to conclude that software‑based erasure has rendered personal data irretrievable.

Response

1. Departmental Information Security Policy and Standards require that data sanitisation be undertaken using approved methods aligned with HMG and NCSC guidance. Our department does not require, nor does it hold, an explicit outcome-based warranty guaranteeing irretrievability of personal data following software-based erasure.

2. Where software‑based data destruction is performed internally (e.g., USB media), Education Scotland relies upon the following to conclude that the final data state is irretrievable:-

Use of an approved sanitisation tool capable of erasing data to NIST SP 800‑88 standard. System‑generated logs or completion records confirming that sanitisation has been successfully executed. Compliance with Information Security - Standards specifying approved erasure methods andevidence requirements.

These records constitute the assurance that the final data state is irretrievable.

3. Where software‑based data destruction is performed by a third‑party provider, Education Scotland holds the following (for end‑of‑life laptops and similar equipment):

Certificates of disposal/sanitisation issued by the provider. Confirmation that sanitisation is completed using a software method compliant with NIST SP 800‑88, and independently ADISA‑verified for both HDDs and SSDs.

These certificates provide evidence of completion of an approved sanitisation process. They are not outcome-based guarantees.

4. Where no outcomes-based warranty is required or provided, the department relies upon the following forms of evidential assurance to conclude that software‑based erasure has rendered personal data irretrievable:

Standards-based method compliance

Internal and external software erasure follows NIST SP 800-88 (and is aligned to HMG/NCSC guidance).

Completion evidence

Internal: tool-generated completion records/logs. Third-party: certificates of sanitisation/disposal; ADISA verified methods for HDD/SSD where applicable.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.

Contact Please quote the FOI reference Central Correspondence Unit Email: contactus@gov.scot Phone: 0300 244 4000 The Scottish Government St Andrew's House Regent Road Edinburgh EH1 3DG

Attachments

No attachments found.

Similar releases