Data Destruction / Media Sanitisation Policy Template

Introduction

Purpose and Use

Proper destruction or sanitisation of storage media and devices is essential to prevent unauthorised recovery of sensitive data. This policy template defines procedures for securely destroying or sanitising electronic media and physical records at the end of their useful life. It aligns with standards such as NCSC guidance, ISO/IEC 27001, Cyber Essentials and regulatory requirements including UK GDPR.

Use this template to create a Data Destruction / Media Sanitisation Policy that fits your organisation’s technologies and risk tolerance. It should be adapted to cover all media types (hard drives, SSDs, removable media, paper documents, etc.) and reflect applicable legal and contractual obligations.

Who This Template Is For

• IT and facilities managers responsible for hardware lifecycle management.
• Asset owners and custodians disposing of devices containing sensitive data.
• Organisations seeking compliance with ISO/IEC 27001, Cyber Essentials Plus, UK GDPR and industry regulations.

Alternative Names You Might See

• Media Sanitisation Policy
• Secure Destruction Policy
• Data Disposal Policy (technical focus)

Data Destruction / Media Sanitisation Policy Template

1. Document Management

• Organisation Name: [Insert organisation name]
• Document Owner: [Role/title responsible for the policy]
• Version: [e.g. 1.0]
• Classification: [e.g. Internal / Public / Confidential]
• Issue Date: [Date of current issue]
• Next Review Date: [Date for next review]
• Supersedes: [If applicable, previous versions]
• Approval: [Senior management approval]
• Change History: Include a table recording version, date, author and summary of changes.

2. Purpose

The purpose of this policy is to:

1. Define approved methods for the secure destruction and sanitisation of data storage media and physical records.
2. Prevent unauthorised recovery of sensitive or confidential information from decommissioned media.
3. Support compliance with UK GDPR, Data Protection Act 2018, ISO/IEC 27001, and Cyber Essentials.

3. Scope

This policy applies to:

• All data storage media (electronic and physical) used to store organisational data, including hard disks, SSDs, mobile devices, memory cards, tapes, optical media, USB drives and paper documents.
• All employees, contractors and third parties involved in the disposal, recycling or reuse of media containing organisational data.
• All facilities and locations where media destruction or sanitisation takes place.

4. Roles and Responsibilities

4.1 Senior Management / Board

• Approve the Data Destruction / Media Sanitisation Policy and ensure adequate resources for implementation.
• Hold departments accountable for compliance with destruction procedures.

4.2 Information Security / IT Function

• Define and maintain approved sanitisation and destruction methods for various media types.
• Provide tools and services (e.g. degaussers, shredders, certified destruction vendors) for secure media disposal.
• Maintain logs of destruction activities and perform periodic audits.

4.3 Asset Owners / Custodians

• Identify media containing sensitive data and ensure proper sanitisation or destruction when no longer needed.
• Document and request approval for destruction of media under their control.

4.4 All Users

• Do not dispose of media containing organisational data without following the approved sanitisation or destruction process.
• Report lost or stolen media immediately to the IT/security function.

5. Sanitisation and Destruction Methods

5.1 Electronic Media

• Logical Sanitisation (Data Erasure): Overwrite media using approved tools that meet recognised standards (e.g. NCSC guidance, NIST SP 800‑88). Verification of successful erasure is required.
• Cryptographic Erasure: Render data unreadable by securely destroying encryption keys where full-disk encryption is used.
• Physical Destruction: Shredding, crushing, incineration or other methods that render media unrecoverable. Use when sanitisation is not feasible or required by policy.

5.2 Paper Records

• Shredding: Use cross-cut shredders or secure destruction services to destroy paper records containing sensitive information.
• Pulping or Incineration: Acceptable methods when shredding is not available.

5.3 Mobile Devices and Removable Media

• For smartphones, tablets, USB drives and memory cards, perform factory resets followed by data erasure or physical destruction depending on sensitivity.
• Remove or destroy SIM cards and external storage separately.

6. Chain of Custody

• Maintain a chain of custody for media from the time it is designated for destruction until the destruction process is complete.
• Document custody transfers and individuals responsible at each stage.

7. Documentation and Verification

• Record the date, media type, serial numbers (where applicable), destruction method and responsible personnel.
• Obtain certificates of destruction from third-party vendors.
• Retain destruction records for audit purposes for a defined period (e.g. 3 years).

8. Outsourcing and Third-Party Vendors

• Third-party destruction providers must be vetted and comply with this policy and relevant regulations.
• Contracts with vendors must include confidentiality clauses and specify destruction methods and verification requirements.

9. Training and Awareness

• Personnel involved in media sanitisation and destruction must receive training on approved methods and procedures.
• Awareness campaigns should highlight the risks associated with improper disposal of media.

10. Exceptions

• Any deviations from approved destruction methods must be justified, documented and approved by senior management.
• Compensating controls must be implemented to manage any risks arising from exceptions.

11. Policy Communication

• This policy must be communicated to all staff and relevant third parties. It should be accessible on the organisational intranet or Knowledge Base.
• Updates should be provided whenever new media types, technologies or regulatory requirements emerge.

12. Supporting Policies and Standards

• Data Retention & Disposal Policy – defines how long data is retained and when it should be disposed of.
• Data Classification Policy – determines sensitivity levels that influence destruction methods.
• Asset Management Policy – tracks hardware and media through the lifecycle.
• Information Security Policy – overarching framework for protecting information assets.

13. Policy Add‑ons

Depending on organisational needs, consider:

• On-site vs. Off-site Destruction Procedures – specifying where destruction takes place and under what conditions.
• Decommissioning Checklist – steps to follow when retiring servers, storage arrays or network devices.
• Environmental Considerations – guidelines for environmentally responsible disposal and recycling.

Use this template as a baseline and customise it to suit your organisation’s technology, regulatory environment and risk tolerance. Review and update the policy regularly in response to changes in media types and legal requirements.