Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content
Back to full FOI list

End of Life IT Equipment

Request date
12 February 2026

Outcome
Full disclosure

Document actions
Print or save (opens in new tab)

Request

Under the Freedom of Information Act 2000, please providethe following recorded information held by your department regarding assuranceprocesses for software based data erasure of end of life IT equipment.

For clarity, this request relates solely to software based data destruction. Please exclude physical destruction methods such as shredding, crushing, degaussing or disintegration.

  1. Please confirm whether departmental policy, contractual terms or internal procedures require an explicit outcome based warranty or guarantee confirming that personal data has been rendered irretrievable through software based erasure, whether carried out internally or by an external provider.

  2. Where software based data destruction is performed internally, what recorded evidential assurance does the department rely upon to conclude that the final data state is irretrievable?

  3. Where software based data destruction is performed by a third party provider, does the department hold recorded information demonstrating that any warranty or assurance provided explicitly extends to the software erasure method used and its claimed effectiveness? If so, please confirm the recorded nature of that verification.

  4. Where no explicit outcome based warranty is required or provided, what recorded form of evidential assurance does the department rely upon to conclude that software based erasure has rendered personal data irretrievable?

I am not requesting technical configuration detail, security sensitive information or supplier specific vulnerabilities. I am seeking confirmation of the assurance model relied upon for software based data destruction.

Response

Thank you for your request which has been processed under the Freedom of Information Act 2000 (FOIA). 

In your email you have requested information regarding assurance processes for software-based data erasure of end-of-life IT equipment. The Gambling Commission’s response is as follows:

  1. Please confirm whether departmental policy, contractual terms or internal procedures require an explicit outcome-based warranty or guarantee confirming that personal data has been rendered irretrievable through software-based erasure, whether carried out internally or by an external provider.

Yes, for software data destruction the Commission’s policy is to use the Microsoft Surface Data Eraser tool to ensure complete data removal followed by a secondary removal process completed by a 3rd party contractor that must be compliant and certified approved to ISO 9001, ISO 14001, ISO 45001, ISO 20000-1 and ISO 27001.

  1. Where software-based data destruction is performed internally, what recorded evidential assurance does the department rely upon to conclude that the final late state is irretrievable?

None. This is why the Commission have a mandatory 2 stage removal policy, stage 1 being internal removal, stage 2 being further removal by a contractor – please see the answer to question one.

  1. Where software-based data destruction is performed by a third-party provider, does the department hold recorded information demonstrating that any warranty or assurance provided explicitly extends to the software erasure method used and its claimed effectiveness? If so, please confirm the recorded nature of that verification.

The 3rd party contractor uses Blancco to erase data and they record the information onto their server which provides a Blancco certificate with the make, model, serial number, and a tracking ID.

This software is CESG (now part of the NCSC) approved which is how we assure ourselves of the effectiveness of the process.

  1. Where no explicit outcome-based warranty is required or provided, what recorded form of evidential assurance does the department rely upon to conclude that software-based erasure has rendered personal data irretrievable?

Please see the answer to question three. Further, a certificate of evidence is provided for the data erasure per device.

Review of the decision

If you are unhappy with the service you have received in relation to your Freedom of Information request you are entitled to an internal review of our decision. You should write to FOI Team, Gambling Commission, 4th floor, Victoria Square House, Victoria Square, Birmingham, B2 4BP or by reply to this email. 

Please note, internal review requests should be made within 40 working days of the initial response. Requests made outside this timeframe will not be processed.

If you are not content with the outcome of our review, you may then apply directly to the Information Commissioner (ICO) for a decision. Generally, the ICO cannot make a decision unless you have already exhausted the review procedure provided by the Gambling Commission. 

It should be noted that if you wish to raise a complaint with the ICO about the Commission’s handling of your request for information, then you are required to do so within six weeks of receiving your final response or last substantive contact with us.

The ICO can be contacted at: The Information Commissioner’s Office (opens in a new tab), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Information Management Team
Gambling Commission

Is this page useful?
Back to top