Education Scotland data destruction procedures: FOI release
- Published
- 15 July 2026
- Topic
- Education, Public sector
- FOI reference
- FOI/202600506334
- Date received
- 12 February 2026
- Date responded
- 2 March 2026
Information request and response under the Freedom of Information (Scotland) Act 2002.
Information requested
Information held by Education Scotland regarding assurance processes for software based data erasure of end of life IT equipment. For clarity, this request relates solely to software based data destruction. Please exclude physical destruction methods such as shredding, crushing, degaussing or disintegration.
1. Whether departmental policy, contractual terms or internal procedures require an explicit outcome‑based warranty or guarantee confirming that personal data has been rendered irretrievable through software‑based erasure, whether carried out internally or by an external provider.
2. Where software‑based data destruction is performed internally, what recorded evidential assurance the department relies upon to conclude that the final data state is irretrievable.
3. Where software‑based data destruction is performed by a third‑party provider, whether the department holds recorded information demonstrating that any warranty or assurance provided explicitly extends to the software erasure method used and its claimed effectiveness, and if so, what the recorded nature of that verification is.
4. Where no explicit outcome‑based warranty is required or provided, what recorded form of evidential assurance the department relies upon to conclude that software‑based erasure has rendered personal data irretrievable.
Response
1. Departmental Information Security Policy and Standards require that data sanitisation be undertaken using approved methods aligned with HMG and NCSC guidance. Our department does not require, nor does it hold, an explicit outcome-based warranty guaranteeing irretrievability of personal data following software-based erasure.
2. Where software‑based data destruction is performed internally (e.g., USB media), Education Scotland relies upon the following to conclude that the final data state is irretrievable:-
- Use of an approved sanitisation tool capable of erasing data to NIST SP 800‑88 standard.
- System‑generated logs or completion records confirming that sanitisation has been successfully executed.
- Compliance with Information Security - Standards specifying approved erasure methods andevidence requirements.
These records constitute the assurance that the final data state is irretrievable.
3. Where software‑based data destruction is performed by a third‑party provider, Education Scotland holds the following (for end‑of‑life laptops and similar equipment):
- Certificates of disposal/sanitisation issued by the provider.
- Confirmation that sanitisation is completed using a software method compliant with NIST SP 800‑88, and independently ADISA‑verified for both HDDs and SSDs.
These certificates provide evidence of completion of an approved sanitisation process. They are not outcome-based guarantees.
4. Where no outcomes-based warranty is required or provided, the department relies upon the following forms of evidential assurance to conclude that software‑based erasure has rendered personal data irretrievable:
Standards-based method compliance
- Internal and external software erasure follows NIST SP 800-88 (and is aligned to HMG/NCSC guidance).
Completion evidence
- Internal: tool-generated completion records/logs.
- Third-party: certificates of sanitisation/disposal; ADISA verified methods for HDD/SSD where applicable.
About FOI
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.
Contact
Please quote the FOI reference
Central Correspondence Unit
Email: contactus@gov.scot
Phone: 0300 244 4000
The Scottish Government
St Andrew's House
Regent Road
Edinburgh
EH1 3DG