FOI release

Type of recorded assurance held by MHRA

Case reference FOI2026/00282

Received 12 March 2026

Published 6 May 2026

Request

To avoid any misunderstanding, I would like to clarify the distinction I am drawing. I am not questioning the adequacy of your processes or suggesting anything is being done incorrectly. My enquiry relates solely to the type of recorded assurance held by your organisation. You note that the Agency receives outcome based reports and certificates from third party suppliers. A certificate or record confirming that an erasure process was applied demonstrates that a recognised method was used. What I am seeking to understand is whether your organisation holds any recorded evidence of the outcome, namely evidence that the data on a specific storage device is irrecoverable following erasure, rather than confirmation that the erasure process was executed. With that distinction in mind, please confirm: 1. Do the IT asset disposal certificates or related contractual terms held by your organisation constitute an explicit outcome based warranty or guarantee that the personal data on each specific storage device has been rendered irrecoverable as a final data state, or do they primarily confirm that a certified erasure process was followed? 2. Beyond reliance on supplier accreditation, recognised standards including but not limited to ADISA certification, ISO accreditation, HMG IA standards, or confirmation that an erasure process was completed, does your organisation hold any recorded, device specific documentation evidencing independent verification, testing, or validation that the data on the particular storage media processed has been rendered irrecoverable in practice? For clarity, this request relates specifically to recorded outcome evidence demonstrating irrecoverability of data on the individual storage device, not documentation confirming that an accredited or certified method was applied. If no explicit outcome based warranty or device specific outcome evidence is held beyond certification, accreditation, or confirmation of process completion, please confirm accordingly. I am not seeking technical configuration detail, only clarification of the recorded assurance basis relied upon when concluding irrecoverability of the final data state.

Response

See attached

Documents

• FOI2026_00282 (redacted).pdf (843.9 KB)
• FOI_23-582_PDF_attachment__1_ (redacted).pdf (1.4 MB)
• FOI_23-582_PDF_attachment__6_ (redacted).pdf (411.0 KB)
• FOI_23-582_PDF_attachment__7_ (redacted).pdf (574.9 KB)

This is Medicines and Healthcare products Regulatory Agency's response to a freedom of information (FOI) or environmental information regulations (EIR) request.

You can browse our other responses or make a new FOI request.