The challenge of securely and sustainably disposing of old, outdated, or un-wanted devices has never been more critical. With the official support for Windows 10 scheduled to end in October 2025, organisations are under pressure to transition to Windows 11 while ensuring that their old devices, if unable to support Windows 11, do not become a liability.
This task is twofold: it involves the secure erasure of all data on old devices, and then the environmentally conscious re-use or recycling of these devices. Yet with the UK’s National Cyber Security Centre (NCSC) phasing out its Commercial Product Assurance (CPA) Scheme for all products except smart meters, compliance is becoming increasingly complex. So, what are the steps public sector organisations can take to navigate these challenges effectively?
The environmental imperative
The transition from Windows 10 to Windows 11 will inevitably generate significant amounts of e-waste. Millions of tonnes of electronic devices are already discarded every year, often ending up in landfills where they can leach hazardous materials into the environment. Some are saying the shift from Windows 10 to Windows 11 will add to what’s being called an ‘e-waste gold mine’.
However, the onus shouldn’t necessarily all be on Microsoft to solve this issue. As organisations decommission old devices, it’s important they review their device refresh lifecycle and identify if it needs changing. For many businesses, their devices will likely be suitable to run Windows 11, and they will already have started the migration to the new system. The worry today is that the same cannot be said for the UK public sector, some of which haven’t upgraded from even older systems. While approximately two thirds of Windows installs last year were Windows 10, an estimated 12,000 NHS computers are still running on Windows 7.
This use of legacy tech both poses a security risk and implies an even larger influx of outdated devices that could go to landfill. To avoid this, organisations must evaluate their device fleet use value. Can these devices still be re-used or recycled? Or can their life be extended and re-deployed for less resource intensive use cases? In both cases, data sanitisation is a must. Erasing the data on these assets is key to allow these machines to be safely and securely used elsewhere, or gracefully reach end of life and get picked up by an IT asset disposition organisation – not become an e-waste gold mine.
The urgency of secure data erasure
Why is data sanitisation so important? Public sector organisations in particular handle vast amounts of sensitive data, ranging from personal information to national security details. It is why healthcare organisations, as an example, are so regularly targeted by cybercriminals. Just recently, a Russian criminal gang stole highly sensitive NHS patient data (including the results of blood tests for HIV and cancer). As the NHS upgrades to Windows 11, the devices that can only run on Windows 10 must be securely decommissioned to help prevent data breaches and further incidents like this. Data remnants on old devices can be exploited if they fall into the wrong hands, putting employees and the general public at risk.
The problem is, many assume that as long as they delete a file it is gone forever. The reality is very different. When deleting a file or folder, the device’s operating system will remove the address to where that data is stored, rather than the data itself – meaning files can easily be recovered.
If you liked this content…
The physical destruction of old devices would enable organisations like the NHS to protect their data from being leaked. Yet this comes at a significant cost – not just the price of the destruction service, but also for the environment. Along with feeding the e-waste problem comes the environmental consequences of the additional mining and manufacturing processes needed to produce new devices, rather than re-using old components. Data sanitisation offers a sustainable alternative while also making security a priority by overwriting files and verifying erasure has worked successfully.
Changing compliance
Amidst this change in operating systems, organisations must also navigate a shifting compliance landscape. The recent announcement by the NCSC to phase out its Commercial Product Assurance (CPA) Scheme for all products except smart meters has significant implications for how organisations assess and manage their security needs.
The CPA Scheme had been a critical marker for security, providing assurance that certified products meet government standards and do what they claim to. It was particularly important for data sanitisation, because it verified whether software would securely and permanently erase data to meet standards like the NIST 800-88 Guidelines for Media Sanitization, for example.
What does this mean for the public sector? Primarily, it’s important for government organisations within their RFP (request for proposal) criteria. This will need to be updated to make sure they do not require ‘NCSC approved’ tools in the technology stacks of those responsible for erasing their data. As a result, procurement processes can remain both relevant and compliant.
Secondly, for IT teams in the public sector that need to erase data compliantly, they must seek alternative certifications. For example, the NCSC certified Common Criteria or ADISA certification are both product assurance schemes that may become more commonly used in the absence of the NCSC’s CPA. These standards both provide a robust framework for evaluating security products. The IEEE 2883 standard will also be important for providing global industry benchmarks for data sanitisation processing and solutions that undergo product testing. And finally, for teams erasing data in government, they can also use the UK’s Government Security Classifications Policy to review the requirements of data erasure products.
The transition from Windows 10 to Windows 11 presents significant challenges for UK public sector organisations, particularly in terms of sustainable device disposal. Changes from the NCSC add another layer of complexity to an already challenging environment and it’s crucial that organisations in the public sector can prepare for both of these changes.
The good news is that the move to more sustainable IT practices is in line with the UK government’s broader environmental goals, including achieving net-zero carbon emissions by 2050. By integrating secure data erasure with sustainable disposal practices, public sector organisations can contribute to these goals while maintaining the highest standards of data security.