Policy Brief and Purpose
TFix’s Data Destruction Policy refers to our commitment to provide secure, compliant,
and certified data destruction services for all digital media entrusted to us.
With this policy we ensure that all digital assets are handled with care,
destroyed using industry-approved methods, and fully documented to guarantee
complete and irreversible elimination of data. Our aim is to protect the interests of our clients,
comply with all relevant regulations, and maintain the highest standards of information security.
Policy Scope
This policy applies to all employees of TFix, including contractors and subcontractors,
as well as consultants and any external entities acting on behalf of TFix. It covers all clients,
suppliers, and other parties who provide us with data-bearing assets.
In general, this policy applies to anyone we collaborate with or who represents TFix in the process of data destruction.
Policy Elements
As part of our operations we obtain and process digital media assets containing sensitive information. This includes hard drives, SSDs, tapes, optical media, and other devices. Once these assets are under our custody the following principles apply.
Our destruction processes will be:
- Certified, documented, and compliant with applicable regulations.
- Conducted using industry-recognised methods such as software erasure (using certified tools like Blancco, WhiteCanyon, and KillDisk), ATA Secure Erase, multi-pass overwriting that meets DoD and NIST standards, or physical shredding and crushing of hard drives, SSDs, tapes, and optical media.
- Performed in secure facilities with restricted access, using sealed containers and GPS-tracked transport where required.
- Supported by a fully documented chain of custody from collection through to final destruction.
Our destruction processes will not:
- Permit any device to leave TFix facilities with data still present.
- Rely on non-certified or informal erasure methods.
- Be transferred to third parties who cannot demonstrate equivalent standards.
If a software erasure fails or a device cannot be securely wiped, the media is immediately destroyed physically by shredding or crushing, with this action recorded in the final report.
Certification and Reporting
Each destruction process is fully documented and clients receive a tamper-proof Certificate of Destruction or Certificate of Erasure Report. Certificates include serial numbers, asset details, destruction method used, and compliance references. Reports are designed to meet the requirements of UK GDPR, the Data Protection Act 2018, NHS Digital, MOD, financial sector regulations, and ISO 27001 information security principles.
Compliance and Standards
TFix complies with UK GDPR and the Data Protection Act 2018, WEEE regulations for environmentally responsible recycling, NHS Digital data security and protection requirements, MOD and financial sector standards for secure data handling, and ISO 27001 principles of information security.
Security and Assurance
All data-bearing assets are handled within secure facilities under restricted access controls. Transport is carried out in sealed containers using GPS-tracked vehicles. Clients are assured that data is permanently and irreversibly destroyed, full documentation is provided for audit and compliance, and all residual equipment is recycled responsibly in line with environmental regulations.
Actions and Commitments
To uphold this policy TFix is committed to restricting and monitoring access to secure areas, training staff in data destruction and security practices, maintaining transparent communication with clients, and regularly reviewing procedures to remain compliant with evolving standards. Procedures exist for managing failed erasures, breaches, or other incidents affecting data security.
Disciplinary Consequences
All principles in this policy must be strictly adhered to. Any breach by employees, contractors, or representatives of TFix will result in disciplinary action and may also lead to legal proceedings.