Data sanitization is the deliberate, permanent removal of data from a device so it cannot be recovered, via wiping, degaussing, or physical destruction.
Data sanitization (also spelled data sanitisation in British English) is the deliberate, permanent removal of data from a storage device so that it cannot be recovered, even with forensic tools. It is the step that makes it safe for a data-bearing device to leave your control - whether it is being resold, donated, recycled, or handed to a disposal vendor as part of an IT asset disposition (ITAD) process.
Note the gap between sanitization and what most people do instead. Emptying the recycle bin, deleting a user profile, or quick-formatting a drive removes the signposts to the data, not the data. Until the underlying blocks are overwritten or destroyed, ordinary recovery software can bring the files back.
The three method families
The widely used reference here is NIST SP 800-88, which groups sanitization into three escalating categories:
- Clear - overwriting the storage with new data using standard write commands. Protects against ordinary recovery software; appropriate for media being reused inside the organisation.
- Purge - stronger techniques that defeat laboratory recovery: firmware secure-erase commands, cryptographic erase (destroying the encryption key so the data becomes unreadable ciphertext), or degaussing for magnetic media.
- Destroy - shredding, disintegrating, or incinerating the media so it cannot be used again. The end of the line, used when the drive is faulty, the data is highly sensitive, or policy says so.
The matching mistake to avoid: methods are media-specific. Degaussing erases hard drives and tape but does nothing to SSDs; multi-pass overwriting designed for magnetic platters is a poor fit for flash, where the firmware’s own secure-erase or cryptographic erase does the job properly.
Choosing the right method
Three questions decide it. Will the device be reused or sold? Then wipe, do not destroy - a verified wipe preserves resale value, and shredding working drives is burning money. How sensitive is the data? Routine business data on a working laptop is a Clear or Purge case; regulated or high-stakes data tips towards Purge or Destroy. And can you actually run the method? Drives that no longer respond, and storage embedded in copiers, medical or diagnostic equipment, and network gear, often cannot be wiped verifiably - those are destruction cases by default.
Verification and evidence
Sanitization that leaves no record might as well not have happened, because nobody can later prove it did. The working standard is per-device evidence: which drive (by serial number), which method, which tool or vendor, who performed it, and when - plus a certificate of destruction when a third party does the destroying. Keep that evidence attached to the asset, not in a loose folder; in AMPthilly, wipe logs and certificates can be attached as documents on the asset record, where the audit trail already shows when the device was retired.
Common mistakes
- Trusting deletion or a factory reset. Resets vary by device and generation; some leave user data recoverable. Verify, do not assume.
- Forgetting hidden storage. Copiers, printers, phones, smart TVs in meeting rooms, and drive caddies in old servers all carry data nobody remembers.
- Sanitizing the device but not the copies. A perfectly wiped laptop achieves little if the same files live on in an unmanaged backup or a leaver’s cloud sync.
- No tie to the asset register. “We wipe everything before disposal” is a claim; a register where each retired device shows its wipe evidence is proof.
Related terms
- Data-Bearing Device - any asset that needs sanitizing before it leaves your control
- Certificate of Destruction - third-party proof that media was destroyed
- Audit Trail - the record that ties sanitization evidence to the asset’s history
- E-Waste - where destroyed media ends up after destruction
- WEEE Directive - the EU rules governing how electronic waste is handled