What ITAD services do NHS trusts need?

NHS trusts require secure data destruction, WEEE-compliant hardware disposal, certified hard drive wiping or shredding, chain of custody documentation, and asset recycling or remarketing. Hospitals often have large volumes of end-of-life PCs, servers, and medical IT equipment.

How do NHS trusts procure ITAD services?

Most NHS trusts publish ITAD opportunities on Contracts Finder, Find a Tender, and the NHS Atamis eCommercial portal. Procurement follows OJEU or Find a Tender thresholds, often using framework agreements or direct award for smaller contracts.

Is DSPT required for NHS ITAD contracts?

DSPT (Data Security and Protection Toolkit) becomes relevant when your ITAD contract involves handling NHS data assets. Most NHS trusts will ask about your data governance, chain of custody, and sanitisation certifications.

What certifications help win NHS ITAD contracts?

ISO 27001, ISO 14001, ADISA certification, and Cyber Essentials are all helpful. WEEE registration with the Environment Agency is mandatory. Having documented sanitisation processes aligned to NIST 800-88 or HMG IA7 adds credibility.

ITAD for NHS Providers — Certified IT Disposal for Trusts & Hospitals UK

NHS ITAD services: what trusts and hospitals need to know

The NHS is one of the largest users of IT equipment in Europe — over 1.3 million employees, hundreds of trusts, hospitals, GP surgeries, and NHS bodies all managing substantial IT estates. Certified ITAD services are essential for securely decommissioning that equipment while meeting stringent data protection, WEEE, and governance requirements.

For NHS procurement teams, this guide covers what to look for in a certified ITAD provider, which accreditations matter, and how to procure using NHS SBS and CCS frameworks. For ITAD providers, it covers procurement cycles, DSPT requirements, and the portals where NHS contracts are advertised.

Every three to five years, trusts go through hardware refresh cycles — replacing PCs, laptops, servers and specialist medical IT. Understanding the full compliance picture ensures disposal is secure, auditable, and aligned with ICO and NHS IG requirements.

1) What NHS Trusts need from ITAD services

NHS procurement teams require ITAD services that meet data security, governance and environmental standards. The core requirements are:

Secure data destruction — certified wiping or physical destruction of hard drives, SSDs, and storage media
WEEE-compliant disposal — registered treatment under the Waste Electrical and Electronic Equipment regulations
Chain of custody documentation — asset-level tracking from collection to final disposal or remarketing
Certificates of destruction — formal evidence for audit purposes
Remarketing or recycling — value recovery where possible, zero-landfill commitment

Hospitals also have unique requirements around medical-grade IT equipment, which may have different handling needs and decommissioning documentation requirements from clinical systems teams.

2) NHS procurement cycles and timelines

Understanding when NHS trusts go to market is essential for effective outreach. Typical patterns include:

Hardware refresh cycles — typically three to five years, often aligned to the end of finance leases or support contracts
Financial year-end activity — April to June is common for ITAD procurements as trusts clear old equipment before year-end
Major estate moves or consolidations — mergers, new builds, and site closures create large one-off disposal needs
Data centre decommissions — moving to cloud infrastructure creates server and storage disposal volumes

Most ITAD contracts above the public procurement threshold (currently £213,477 for central government, lower for some NHS bodies) must be advertised on Find a Tender. Smaller one-off disposals may be procured by direct quote or framework call-off.

3) Key procurement portals for NHS ITAD opportunities

Find a Tender — mandatory for contracts above threshold
Contracts Finder — for contracts above £12,000 (central government and NHS)
Atamis — the NHS eCommercial system used across many trusts for tendering and supplier management
NHS SBS (Shared Business Services) — framework agreements often used by trusts for ITAD call-offs
Crown Commercial Service — national frameworks that some NHS bodies use

Set up keyword alerts for: IT asset disposal, data destruction, WEEE, secure disposal, ITAD, media sanitisation, hard drive destruction.

4) DSPT and data security requirements

The Data Security and Protection Toolkit (DSPT) is the NHS's framework for assessing data security. As an ITAD supplier, you may encounter DSPT requirements when:

Your contract involves handling assets that previously held NHS patient data
You have physical access to NHS sites or systems during collection
The trust includes DSPT assessment in their supplier due diligence process

Even if full DSPT compliance isn't required, being able to demonstrate a clear data governance position — documented sanitisation standards, chain of custody, and staff vetting — will strengthen your bid considerably.

5) Certifications that help win NHS ITAD contracts

Data security

✓ ISO 27001
✓ ADISA Asset Recovery Standard
✓ Cyber Essentials / Cyber Essentials Plus
✓ HMG IA7 / NIST 800-88 sanitisation methods

Environmental compliance

✓ WEEE registration (Environment Agency)
✓ ISO 14001
✓ Approved Authorised Treatment Facility (AATF)
✓ BS EN 15713 secure destruction

6) How to write a winning NHS ITAD bid

NHS evaluators score on value for money, security and compliance, and operational capability. The most common mistakes ITAD suppliers make in NHS bids:

Vague security descriptions — always be specific: "our sanitisation process follows NIST 800-88 Rev 1" beats "we securely wipe data"
No evidence — include redacted sample certificates, wipe reports, and chain of custody examples
Ignoring sustainability — NHS net zero commitments make environmental credentials increasingly important
Overlooking logistics detail — explain collection, packaging, transport security, and site-level procedures

NHS ITAD bid readiness checklist

Alerts set on Contracts Finder, Find a Tender, and Atamis
WEEE registration current and renewal dates tracked
ISO 27001 or ADISA in place (or in progress)
Sanitisation method documented to NIST or HMG standard
Redacted sample certificates and wipe reports ready to attach
Chain of custody process documented end to end
Net zero / environmental position written up
DSPT position understood and documented if required

Find certified ITAD providers

Browse the UK ITAD provider directory to compare certified suppliers by coverage, services, and compliance certifications.

Browse directory → Download free templates