Certificate of data destruction
Audit ready proof, not just a promise
If you’ve been asked to show proof that data was destroyed (by an auditor, a client, a regulator or your own compliance team), a verbal assurance isn’t enough. You need a Certificate of Data Destruction: a specific document, with specific content, that a named third party will actually check.
This page explains exactly what that document contains, which frameworks it satisfies, and how to get one. That includes retrospectively, if you’ve already had equipment collected and now need the paperwork.
No fragmented subcontractor.
No undocumented transfers.
No certification uncertainty.
Did you know that 83% of old IT equipment still contains discoverable data?
What’s on the certificate?
This is the document a procurement team files, an auditor checks against their sample, or an ICO investigation requests after a complaint. If any of these fields are missing from a certificate you’ve been given, it isn’t audit-ready. Ask for one that includes all five.
This isn’t a generic statement of good intent. Every Certificate of Data Destruction Ego Technology issues contains:
Asset reference / serial number: every individual device, not a batch summary covering an unspecified group
Destruction method: exactly how it was destroyed: certified software wipe, or physical shredding
Date and time of destruction
Standard applied: which recognised standard the method meets (see below)
Authorising technician
Which frameworks does a certificate like this satisfy?
Different sectors are asked to evidence data destruction against different named frameworks. A serial-level Certificate of Data Destruction from Ego Technology provides the evidence base for:
DSPT (Data Security and Protection Toolkit)
Required for NHS and health and social care organisations. See our healthcare IT disposal services.
Cyber Essentials / Cyber Essentials Plus
Assessors will ask how end-of-life devices are handled; a named certificate with method and date answers this directly.
ISO 27001 internal and external audits
auditors sample destruction records against the asset register; serial-level certificates allow a clean match.
ICO accountability requirements
Demonstrating GDPR Article 5 compliance if a data breach investigation ever asks how retired devices were handled. See our public sector IT disposal services.
Client and contractual due diligence
Many corporate clients now require evidence of supplier data handling as part of onboarding or annual review. See our corporate IT disposal services.
If your organisation operates under a different named framework not listed here, ask. Most data destruction frameworks share the same underlying evidence requirements.
The standards behind every certificate
ISO 27001
We’re ISO 27001 certified. This means the secure data destruction process generating your certificate is itself audited, controlled and consistent. It’s not just the paperwork at the end.
NCSC guidance on media sanitisation
GDPR Article 5
Data Wiping or shredding. Does the certificate differ?
Both methods are certified, but the certificate records different things:
Certified data wiping certificate: confirms a NCSC-aligned software erasure was completed, the device passed verification, and the device remains physically intact for reuse. See our reuse-first IT asset disposal page
Physical destruction certificate: confirms mechanical destruction of the media, with the device or component no longer existing in usable form. See our hard drive and SSD destruction page for the on-site/off-site and shred-size options that feed into this.
For a full explanation of how our destruction process works end-to-end, collection, logging, transit and the destruction step itself, see our main secure data destruction page.
Already had a collection?
If equipment has already been collected and processed but you haven’t received, or have lost, the certificate, we can issue a retrospective Certificate of Data Destruction from the original project records. Every collection is logged at the serial level at the point of intake, so historic certificates can be reissued without re-processing the equipment.
This is common ahead of an audit, a client due diligence request, or a procurement renewal where the original paperwork has been misplaced internally. Contact the team with the collection date or your account reference, and a reissued certificate can be provided.
What our clients say
"Professional, responsive and easy to work with from start to finish."
IT Manager, NHS Trust
"A reliable partner who understands compliance, security and environmental responsibility."
Head of IT, UK Corporate Organisation
"The collection process was smooth, secure and very well organised."
Facilities Manager, Education Sector
"Excellent communication throughout and complete confidence in secure data handling."
IT Infrastructure Manager, Financial Services
"Efficient, professional and delivered exactly as promised."
Operations Manager, Manufacturing Business
"A trusted partner for secure IT disposal and environmental reporting."
Sustainability Lead, Public Sector Organisation
"The team were knowledgeable, friendly and highly professional."
Procurement Manager, Local Authority
"A seamless service with clear communication and strong compliance standards."
IT Director, National Business
"From initial enquiry to final reporting, everything was handled professionally."
Technology Manager, Healthcare Organisation
"Reliable, secure and environmentally responsible, exactly what we were looking for."
Head of Operations, UK Enterprise Client
Get In Touch
Certified data destruction at enterprise scale
On-site hard drive shredding, certified data wiping for reuse or large-volume off-site IT data destruction.
Frequently asked
questions
Do you provide certified IT asset disposal and data destruction?
Yes, Ego Technology provides certified IT asset disposal and data destruction services across the UK. Operating from Burton upon Trent and Bradford with nationwide collection, Ego issues formal Certificates of Data Destruction at serial-number level, aligned to ISO 27001, GDPR and NCSC standards.
What is a Certificate of Data Destruction and why is it important?
A Certificate of Data Destruction is a formal, auditable document confirming that specific data-bearing media has been destroyed or erased to a recognised standard. It records the asset, the method, the date and the authorising party, all at serial-number level. It is the primary evidence used to demonstrate GDPR compliance, satisfy an auditor or fulfil contractual data security requirements.
Does Ego provide serial-number level certificates?
Yes. Ego Technology issues destruction and erasure reports at individual serial-number level for every device processed, not a single batch certificate covering a collection. This means every device in a disposal programme has its own auditable destruction record.
Can I get a certificate for a collection that already happened?
Yes. Ego Technology logs every collection at serial level on intake, so a Certificate of Data Destruction can be reissued retrospectively from the original project records, even if the original document was lost or never received. Contact the team with your collection date or account reference.
Does a Certificate of Data Destruction satisfy DSPT or Cyber Essentials requirements?
Yes. A serial-level Certificate of Data Destruction provides the evidence base assessors look for under DSPT (NHS and health and social care), Cyber Essentials Plus, ISO 27001 audits and ICO accountability requirements. The certificate’s named method, date and serial reference are what assessors check against your asset register.
What is the difference between certified data wiping and physical destruction certificates?
A certified data wiping certificate confirms a software erasure was completed to NCSC-aligned standards and the device remains intact for reuse. A physical destruction certificate confirms the media was mechanically destroyed and no longer exists in usable form. Both are equally valid as compliance evidence, the right method depends on whether the device is being reused.