Can I use the ITAD checklist for a public sector tender?

Yes. The procurement checklist is designed for NHS, council, and university procurement. The compliance language reflects UK GDPR, WEEE Regulations 2013, and common public sector certification requirements.

Free ITAD Procurement Tools & Templates | UK IT Disposal Resources

Q: Which certification should I prioritise when evaluating an ITAD supplier?

For data-bearing assets, ADISA certification is most relevant. ISO 27001 is important for overall information security management. WEEE ATF registration is a baseline statutory requirement. For most NHS or council contracts, ADISA, ISO 27001, and WEEE ATF registration meet minimum qualification criteria.

Q: What should a certificate of data destruction include?

A valid certificate should include: date of destruction, list of assets with serial numbers, destruction method, name and signature of authorised operative, company name and registration, and client reference.

Downloadable tools

ITAD Procurement Checklist

For: procurement teams, IT managers

Free

A practical list to work through before pricing stage to avoid scope gaps, compliance language issues, and documentation failures at award. Covers data destruction evidence, WEEE compliance, chain of custody, collection logistics, and reporting format requirements.

When to use: Before issuing an ITT or requesting quotes. Use it to align internal stakeholders (IT, legal, finance) on what the ITAD scope must include.

[ ] Data destruction standard specified (NIST 800-88 or CESG/HMG IS5)
[ ] WEEE Evidence Notes required from supplier
[ ] Certificate of destruction format agreed
[ ] Chain of custody format agreed
[ ] Collection coverage confirmed across all sites...

Download .txt

Chain of Custody Template

For: IT teams, asset managers, finance

Free

A standardised format for recording handover of IT assets from your organisation to an ITAD supplier. Captures asset details, handover date, responsible parties, and collection reference — all required fields for a clean audit trail.

When to use: At the point of collection. Ask your ITAD supplier to co-sign this document at handover. Retain with your destruction certificates for your ICO or DPA compliance records.

Asset ID | Serial No | Type | Condition
-------- | --------- | ---- | ---------
[ID] | [SN] | Laptop | Used

Collection date: ___________
Authorised by: ___________...

Download .txt

Sector procurement guides

How different parts of the public sector buy ITAD services — including the specific frameworks, scoring language, and compliance requirements for each sector.

NHS Procurement

Covers NHS SBS and Crown Commercial Service frameworks, data-destruction evidence requirements for patient record systems, and how DSPT compliance affects supplier selection.

Read guide →

Council Tenders

ESPO, NEPO, and YPO framework routes for local authorities, typical ITT timelines, wording patterns in council ITAD tenders, and common scoring weightings.

Read guide →

Universities

How higher education procurement teams use JISC, Crescent Purchasing Consortium, and open Contracts Finder tenders. What UCISA guidance recommends for data handling.

Read guide →

Compliance reference tables

Quick reference for what each certification or regulation requires — use these when writing tender requirements or evaluating supplier credentials.

ITAD certification comparison

Certification	Issued by	Covers	Required for
ADISA	IT Asset Disposal & Information Security Alliance	Data security throughout the ITAD process	NHS, public sector, high-security environments
ISO 27001	BSI / accredited certification body	Information security management systems	Public sector tenders, NHS SBS framework eligibility
BS EN 15713	BSI	Secure destruction of confidential material	Physical media destruction contracts, council tenders
Cyber Essentials	NCSC / IASME	Baseline cybersecurity controls	UK government contract supply chain requirements
WEEE Authorised Treatment Facility	Environment Agency	Compliant electrical equipment recycling	All ITAD disposals — statutory requirement

WEEE compliance requirements

Requirement	What it means in practice	Who provides evidence
Authorised Treatment Facility (ATF)	ITAD supplier must process WEEE at an EA-registered ATF	Supplier provides ATF registration number
WEEE Evidence Notes	Written confirmation that EEE has been received and treated at an ATF	Supplier issues Evidence Notes after processing
Duty of Care (Environmental Protection Act)	Your organisation must ensure WEEE is transferred to authorised carriers	Consignment note + carrier's waste licence
Record keeping	Retain WEEE Evidence Notes for minimum 4 years	Your organisation retains — supplier provides

Frequently asked questions

Can I use the checklist for a public sector tender?

Yes. The procurement checklist is designed to be usable for NHS, council, and university procurement. The compliance language in it reflects UK GDPR, WEEE Regulations 2013, and common public sector certification requirements. You'll need to adapt the scope and quantities for your specific contract.

What is a chain of custody document and do I legally need one?

A chain of custody document records the transfer of IT assets from your organisation to the ITAD supplier. While not explicitly required by a single piece of legislation, it is considered best practice under UK GDPR accountability requirements (Article 5(2)) and is typically required as part of an NHS or council ITAD contract. Without it, proving compliant disposal in an audit is significantly harder.

Which certification should I prioritise when evaluating an ITAD supplier?

For data-bearing assets, ADISA certification is the most relevant — it specifically audits the data security aspects of IT disposal. ISO 27001 is important for overall information security management. WEEE ATF registration is a baseline statutory requirement. BS EN 15713 is relevant if physical destruction of media is part of the scope. For most NHS or council contracts, a supplier holding ADISA, ISO 27001, and WEEE ATF registration will meet the minimum qualification criteria.

What should a certificate of data destruction include?

A valid certificate of data destruction should include: date of destruction, list of assets with serial numbers, destruction method (software overwrite to NIST 800-88 or physical shredding), the name and signature of the authorised operative, the company name and registration, and the client reference. For NHS contracts, the certificate should also reference the overwrite standard and whether any assets were found non-destructible and how they were handled.

Can I download the tools as PDF or Excel?

Currently the tools are available as plain .txt files, which can be opened in any text editor, Word, or Google Docs and reformatted to your organisation's template. The plain text format is intentionally unformatted so it can be copied directly into your own documentation without style conflicts. Formatted PDF and Excel versions are planned.

Related guides

ITAD Compliance Checklist: WEEE & Data Destruction

Full compliance walkthrough for UK organisations

NHS Trust ITAD: Data Destruction & Patient Records

How NHS trusts handle patient data on disposed IT assets

WEEE Evidence Note Checklist for ITAD Suppliers

What WEEE Evidence Notes must contain and how to verify them

Data Destruction Certificate: Example Fields

What a valid certificate of data destruction should include

Downloadable tools

ITAD Procurement Checklist

Chain of Custody Template

Sector procurement guides

NHS Procurement

Council Tenders

Universities

Compliance reference tables

ITAD certification comparison

WEEE compliance requirements

Frequently asked questions

Related guides

ITAD Compliance Checklist: WEEE & Data Destruction

NHS Trust ITAD: Data Destruction & Patient Records

WEEE Evidence Note Checklist for ITAD Suppliers

Data Destruction Certificate: Example Fields

Get listed or buy verified leads