In 2019, Brighton and Sussex University Hospitals NHS Trust was fined £70,000 by the Information Commissioner's Office. The reason? Patient records found on a hard drive sold on eBay. The equipment had been decommissioned, moved through several contractors, and eventually ended up in the hands of a member of the public who could access confidential patient data with minimal effort.
This isn't an isolated incident. Between 2018 and 2023, the ICO recorded over 30 separate cases where NHS trusts, CCGs, or primary care providers reported data breaches linked to improper disposal of IT equipment. The fines range from warnings to six-figure penalties, but the reputational damage and loss of public trust is harder to quantify.
Why NHS ITAD Is Different from Commercial IT Disposal
If you work in NHS procurement or information governance, you already know that patient data isn't like other business data. Under the Data Protection Act 2018 and UK GDPR, patient records are classified as special category data—the highest level of protection. This means:
- Caldicott principles apply: Any disclosure, including accidental exposure through improper disposal, is a breach of patient confidentiality.
- NHS Digital requires audit trails: When IT equipment containing patient data is decommissioned, there must be documented evidence of secure destruction.
- Retention schedules still apply: Some equipment may need to be held before destruction to meet records management requirements under NHS Records Management Code of Practice for Health and Social Care 2021.
A commercial business might accept a basic certificate of destruction and move on. An NHS trust has to satisfy multiple layers of accountability: the ICO, NHS Digital, the Caldicott Guardian, and in serious cases, the Care Quality Commission.
What Equipment Actually Contains Patient Data?
The obvious answer is servers, workstations, and laptops used by clinical or administrative staff. But patient data has a habit of appearing in unexpected places:
- Mobile diagnostic equipment: Portable ultrasound machines, ECG monitors, and blood gas analysers often store patient identifiers and test results locally.
- Multifunction printers and copiers: Many modern devices have hard drives that cache scanned documents, including referral letters, lab reports, and prescription records.
- USB drives and portable media: These tend to proliferate in clinical environments. Even if they're not supposed to hold patient data, they often do.
- Backup tapes and external drives: These are sometimes forgotten in storage rooms when IT infrastructure is upgraded.
A proper ITAD process doesn't just handle the obvious stuff. It requires a systematic audit of what's being decommissioned and a risk assessment of what data might be present.
Certificates of Destruction: What Actually Counts as Evidence?
NHS trusts are used to dealing with paperwork, but certificates of destruction are not all created equal. If an information governance manager is trying to demonstrate compliance in an audit or after a data breach, these are the details that matter:
- Asset-level tracking: The certificate should list individual serial numbers, not just "10x laptops." If a device goes missing, you need to know which one.
- Destruction method: "Securely disposed of" is not sufficient. The standard recognised by NHS Digital and the ICO is physical destruction to at least HMG Infosec Standard 5 (Baseline) or its successor, NCSC guidance on secure sanitisation. For high-risk devices, this means shredding or degaussing, not just software wiping.
- Chain of custody: If equipment is collected by a third party, transported to a destruction facility, and processed there, the certificate should show each step. Any break in the chain is a potential liability.
- WEEE compliance: NHS trusts are legally required to dispose of electrical waste through authorised treatment facilities. The certificate should include the Environment Agency registration number for the facility.
If a supplier offers you a generic template certificate with blanks filled in by hand, that's a red flag. Proper ITAD providers generate certificates automatically from their tracking systems with timestamps, photos, and full audit trails.
The Practical Problem: Budget Constraints and Competing Priorities
Let's be honest—NHS trusts are not flush with cash. IT budgets are stretched, procurement timelines are long, and ITAD often feels like an administrative burden rather than a priority. It's easier to let old equipment pile up in storage rooms than to navigate the tendering process for a compliant disposal service.
But the false economy here is obvious. A £70,000 ICO fine is bad. A data breach involving thousands of patients that makes the local news is worse. The reputational cost and the impact on public trust can take years to recover from.
There's also a missed opportunity. Working IT equipment that's been securely wiped can be resold, and NHS trusts are entitled to recover that value. Laptops, tablets, and even older servers have a secondary market value if they're processed properly. A good ITAD provider doesn't charge for disposal—they pay you for the recovered assets and charge a service fee that's offset by the resale value.
For equipment that's truly end-of-life, WEEE recycling generates small returns from recovered metals and plastics. It's not a lot, but on a trust-wide scale with hundreds or thousands of devices, it adds up.
What Good ITAD Looks Like for an NHS Trust
A proper ITAD process for the NHS should look something like this:
- Initial audit: An inventory of all IT equipment being decommissioned, including serial numbers, asset tags, and a risk assessment of what data might be present.
- On-site collection: Secure transport from the trust premises to the processing facility, with chain of custody documentation at each stage.
- Data sanitisation or destruction: Depending on risk level, either certified software wiping (for resale-grade equipment) or physical destruction (for high-risk devices or anything that's failed).
- Certification: Asset-level certificates of destruction issued within days, not weeks, with full traceability.
- WEEE compliance: Processing through an Environment Agency-registered facility, with waste transfer notes and recycling certificates issued as part of the package.
- Value recovery: Working equipment is resold, and the trust receives a credit against the service fee or a direct payment depending on contract terms.
The key thing is that this isn't a one-off job. NHS trusts refresh IT equipment on a rolling basis—ward computers, admin laptops, servers reaching end-of-life. A good ITAD provider should offer a framework agreement or call-off contract that allows individual departments or sites to dispose of equipment as needed without re-tendering every time.
GP Surgeries and Primary Care: A Different Challenge
GP surgeries face the same data protection obligations as hospital trusts, but often lack the procurement resources or information governance expertise to manage ITAD properly. Many practices are small businesses with a dozen staff and a part-time practice manager handling compliance.
The risk here is that equipment is often disposed of informally—donated to schools, given to staff members taking it home, or simply thrown in a skip when the practice moves premises. If patient data ends up on eBay or in a charity shop, the ICO will still hold the practice accountable, regardless of how small it is.
Primary Care Networks (PCNs) and Integrated Care Boards (ICBs) are increasingly offering shared services for ITAD, which makes sense. A contracted provider can offer a call-out service where practices across a region use the same framework, get consistent pricing, and benefit from economies of scale. This also ensures that small practices meet the same standards as large hospital trusts.
Related: How NHS trusts procure ITAD services covers procurement cycles, DSPT requirements, and winning NHS contracts.
References
- ICO (2019): Brighton and Sussex University Hospitals NHS Trust fined £70,000 for data breach
- NHS England (2021): Records Management Code of Practice for Health and Social Care 2021
- NCSC (2024): Secure sanitisation of storage media
- Department for Health and Social Care (2013): Information: To share or not to share? The Information Governance Review (Caldicott 2 Report)