ITAD for NHS providers: a complete guide to secure IT disposal in the NHS

1) What NHS trusts actually need from ITAD providers

NHS procurement teams are primarily concerned with data security and environmental compliance. The core services they need are:

• Secure data destruction — certified wiping or physical destruction of hard drives, SSDs, and storage media
• WEEE-compliant disposal — registered treatment under the Waste Electrical and Electronic Equipment regulations
• Chain of custody documentation — asset-level tracking from collection to final disposal or remarketing
• Certificates of destruction — formal evidence for audit purposes
• Remarketing or recycling — value recovery where possible, zero-landfill commitment

Hospitals also have unique requirements around medical-grade IT equipment, which may have different handling needs and decommissioning documentation requirements from clinical systems teams.

2) NHS procurement cycles and timelines

Understanding when NHS trusts go to market is essential for effective outreach. Typical patterns include:

• Hardware refresh cycles — typically three to five years, often aligned to the end of finance leases or support contracts
• Financial year-end activity — April to June is common for ITAD procurements as trusts clear old equipment before year-end
• Major estate moves or consolidations — mergers, new builds, and site closures create large one-off disposal needs
• Data centre decommissions — moving to cloud infrastructure creates server and storage disposal volumes

Most ITAD contracts above the public procurement threshold (currently £213,477 for central government, lower for some NHS bodies) must be advertised on Find a Tender. Smaller one-off disposals may be procured by direct quote or framework call-off.

3) Key procurement portals for NHS ITAD opportunities

• Find a Tender — mandatory for contracts above threshold
• Contracts Finder — for contracts above £12,000 (central government and NHS)
• Atamis — the NHS eCommercial system used across many trusts for tendering and supplier management
• NHS SBS (Shared Business Services) — framework agreements often used by trusts for ITAD call-offs
• Crown Commercial Service — national frameworks that some NHS bodies use

Set up keyword alerts for: IT asset disposal, data destruction, WEEE, secure disposal, ITAD, media sanitisation, hard drive destruction.

4) DSPT and data security requirements

The Data Security and Protection Toolkit (DSPT) is the NHS's framework for assessing data security. As an ITAD supplier, you may encounter DSPT requirements when:

• Your contract involves handling assets that previously held NHS patient data
• You have physical access to NHS sites or systems during collection
• The trust includes DSPT assessment in their supplier due diligence process

Even if full DSPT compliance isn't required, being able to demonstrate a clear data governance position — documented sanitisation standards, chain of custody, and staff vetting — will strengthen your bid considerably.

5) Certifications that help win NHS ITAD contracts

6) How to write a winning NHS ITAD bid

NHS evaluators score on value for money, security and compliance, and operational capability. The most common mistakes ITAD suppliers make in NHS bids:

• Vague security descriptions — always be specific: "our sanitisation process follows NIST 800-88 Rev 1" beats "we securely wipe data"
• No evidence — include redacted sample certificates, wipe reports, and chain of custody examples
• Ignoring sustainability — NHS net zero commitments make environmental credentials increasingly important
• Overlooking logistics detail — explain collection, packaging, transport security, and site-level procedures