Request ID
21518
Date Received
Date Resolved
Details

See notes

Resolution
See notes
Notes

Follow on request to WBCIR:21353
Thank you for your response. You have confirmed that the Council relies on ISO 27001 aligned processes, supplier certificates, and asset inventory sheets (AIS) as the assurance model for software-based data destruction.
To ensure I correctly understand the basis of this assurance, please provide the following recorded information:

1. Wording of any outcome-based warranty or guarantee Please confirm whether the Certificates of Data Destruction (COD) or any related contractual documentation contain an explicit outcome-based warranty or guarantee that the personal data on each specific storage device has been rendered irrecoverable as a final data state.
The Certificate of Destruction contains the following wording:
"This is to certify that the devices listed on the attached manifest have had their data erased to US Department of Defence standard DOD 5220.22-M"

2. If so, please provide the relevant wording of that warranty or guarantee (with commercially sensitive information redacted as appropriate).
A certificate of destruction is received with wording and assurance as above.

Clarification of documentation provided
The asset inventory sheet provided appears to record asset details and processing status but does not appear to contain any statement regarding the irrecoverability of the final data state.
3. Please confirm whether any documentation held by the Council contains an explicit statement confirming that the data on each specific device is irrecoverable, as distinct from confirmation that a sanitisation process was completed.
There is no wording or warranty given that personal data on each device has been rendered irrecoverable on any other documentation that is held by the council.

4. Confirmation where no such wording exists If no explicit outcome-based warranty or device-specific outcome evidence exists beyond confirmation that a sanitisation process was completed in accordance with recognised standards, please confirm accordingly.
A certificate of destruction is received with wording and assurance as above.

This request relates solely to the recorded assurance relied upon when concluding that the final data state of each device is irrecoverable.

Give website feedback

Happy face Neutral face Sad face