NHS and Healthcare IT Disposal: What Every Organisation Must Know Before 30 June 2026

NHS and Healthcare IT Disposal: What Every Organisation Must Know Before 30 June 2026

The DSPT v8 submission deadline is 30 June 2026. That is 15 days away. If your NHS trust, GP surgery, care home, private clinic or healthcare IT supplier cannot produce evidence of secure, documented IT asset disposal, your submission is incomplete and your organisation is exposed.

Healthcare IT disposal is not standard IT disposal with a clinical label on it. It operates under a distinct, layered regulatory framework that combines UK GDPR special category obligations, the Caldicott Principles, the NHS Data Security and Protection Toolkit, CQC inspection requirements and government security standards. Getting it wrong in healthcare carries consequences that go beyond fines: in August 2022, a ransomware attack on NHS software provider Advanced caused NHS 111 to lose access to patient records. The ICO subsequently fined the company £3.07 million, the first monetary penalty ever issued directly against a data processor under UK GDPR. The disruption was clinical as well as financial.

Key takeaways

• DSPT v8 submission deadline is 30 June 2026. Evidence of secure IT disposal is a mandatory component.

• Patient data is special category under UK GDPR, attracting the highest fine ceiling: £17.5M or 4% of global annual turnover.

• The Caldicott Principles apply to end-of-life IT assets, not just active data systems.

• CQC inspection requirements are satisfied by serial-level Certificates of Destruction from accredited providers.

• The ICO fined an NHS software supplier £3.07M in March 2025 and Capita £14M in October 2025, both for data security failures.

Why healthcare IT disposal is a different compliance tier

When a laptop in a law firm is decommissioned, it contains confidential data. When a laptop in an NHS trust or GP surgery is decommissioned, it may contain patient records, clinical histories, medication data, mental health notes, safeguarding flags and staff health records. Every category of that data is classified as special category personal data under UK GDPR Article 9. The obligations on the data controller do not end when the device is switched off. They extend through every stage of disposal until the data is demonstrably and irreversibly destroyed.

The ICO fined Advanced Computer Software Group £3.07 million following a ransomware attack in August 2022 that led to the personal information, including sensitive health and medical data, belonging to 79,404 people being exfiltrated, disrupting NHS 111 and preventing healthcare staff from accessing patient records. This was a network breach, not an IT disposal failure. But the ICO's position on what constitutes adequate data security, and what it costs when that standard is not met, is unambiguous and directly applicable to disposal processes.

In October 2025 the ICO fined Capita £14 million after a cyber attack compromised the personal data of 6.6 million individuals across 325 pension schemes, exposing home addresses, passport images, financial details and criminal records. The pattern across both cases is identical: inadequate technical measures, insufficient documentation, and consequences that far exceeded the cost of getting it right.

The regulatory stack that applies to healthcare IT disposal

Five overlapping frameworks govern how NHS and healthcare organisations must handle end-of-life IT assets.

UK GDPR and the Data Protection Act 2018. Patient data is special category data under Article 9. The accountability principle at Article 5(2) requires organisations to demonstrate appropriate technical measures through the entire data lifecycle including disposal. Failure to do so attracts the higher fine ceiling of £17.5M or 4% of global annual turnover.

NHS Data Security and Protection Toolkit v8, aligned with the NCSC Cyber Assessment Framework. The 2025/2026 DSPT introduces full alignment with the CAF, moving organisations away from checklist-style compliance toward evidence-based, outcome-driven assurance, with all NHS bodies and relevant IT suppliers required to complete independent CAF-aligned audits, and NHS England requiring all independent assessments to be completed between January and June 2026 with final submissions due 30 June 2026. Evidence of secure IT asset disposal is a required component of that submission.

The Caldicott Principles. All seven Caldicott Principles govern how patient data is handled. The obligation to protect patient data to the highest practicable standard applies at end-of-life as much as it does at the point of collection. The Caldicott Guardian in your organisation should sign off on your disposal policy and vendor selection.

Care Quality Commission inspection requirements. Certificates of Destruction, Waste Transfer Notes and detailed asset reports satisfy CQC inspection requirements for demonstrating secure IT disposal. In the absence of these documents, a CQC inspection that touches on data security governance has no evidence to assess.

HMG IS5 and NIST SP 800-88 Rev. 2. HMG Infosec Standard 5 governs secure disposal of IT assets handling government and NHS data. NIST SP 800-88 Rev. 2, updated September 2025, provides the internationally recognised technical standard for media sanitisation. Both should be named explicitly in any disposal contract and on every Certificate of Destruction.

Who this applies to

The NHS DSPT applies to a wider group of organisations than most realise. If your organisation handles health or care data, uses NHS systems including NHSmail or e-Referrals, delivers services under an NHS contract, or plans to work in UK health or social care, you must submit a DSPT self-assessment. That means GP surgeries, dental practices, pharmacies, opticians, care homes, private hospitals, mental health providers, and every IT supplier that touches NHS systems.

Every one of those organisations retires IT equipment. Every one of those organisations has an obligation to evidence what happened to the data on that equipment. For most, that evidence does not yet exist in a form that satisfies the DSPT, the ICO or a CQC inspector.

The eight-point healthcare IT disposal checklist

Work through each of these before your next disposal job and before the DSPT submission on 30 June 2026.

1. All devices in scope confirmed. Patient systems, administrative IT, medical devices with internal storage, dictation equipment, portable diagnostic tools. If it held or touched patient data, it is in scope.

2. Data sanitisation standard confirmed. NIST SP 800-88 Rev. 2 Purge level as a minimum. HMG IS5 where government-classified data is involved. The standard must be named on the certificate.

3. Special category classification documented. Your DPIA or information asset register should confirm the classification of data held on each device. This feeds into the destruction method required.

4. Serial-level Certificate of Destruction obtained. Named per device, not per batch. Signed by the certifying party. This document satisfies DSPT evidence requirements, CQC inspection and ICO audit simultaneously.

5. Vendor certifications verified. ISO 27001 for information security, ISO 14001 for environmental management, ADISA Standard 8.0 for data destruction assurance. Ask for certificate numbers.

6. Caldicott Guardian sign-off documented. Your Caldicott Guardian should have approved the disposal policy and the vendor selection in writing. This is DSPT evidence.

7. Chain of custody documented end-to-end. From your site to the licensed receiving facility to final outcome. No gaps, no assumptions.

8. DEFRA Digital Consignment ID confirmed for Q4 2026. From October 2026 every certificate must carry a DEFRA DWTS consignment reference. Confirm your vendor is registered and will provide this from that date.

The 30 June 2026 action

If your DSPT submission is due on 30 June 2026 and you have not yet completed a healthcare IT disposal job with a certified, accredited provider this cycle, you have 15 days. NanoSoft can collect, sanitise and certify under a healthcare-appropriate compliance framework and return your documentation within days of collection. Contact us today.

Retire your IT. Recover its value. Prove it is gone.

NanoSoft provides certified IT asset disposition for NHS trusts, GP surgeries, care homes, private healthcare providers and NHS IT suppliers across the UK. Every job complies with NIST SP 800-88 Rev. 2, HMG IS5, ADISA Standard 8.0 and ISO 27001, producing the serial-level Certificate of Destruction and chain of custody documentation required for DSPT v8, CQC inspections and ICO audit.

Contact NanoSoft: services@nanosoftltd.com | 0800 677 1344 | Unit 8 & 9 Maldon Trade Park, Heybridge, Maldon CM9 4LJ, UK