Security Guidance
RSS feed
Table of contents

Short format clause

The current draft of the Ministry of Justice (MoJ) commodity short format data destruction clause.

Highlighted words indicate potential requirement for contextual change, requirement of definition and so on.

Clause

The Supplier shall return all Authority Data in a machine-readable non-proprietary format defined by the Authority within 30 (thirty) calendar days of the end of the contract.

The Supplier must also state, ensure and warrant the final calendar date by which any associated data management lifecycle system(s) will be complete, including the manual or automated data destruction at the end of such period. Such data management lifecycle(s) may include, but are not limited to, the Supplier’s supply chain and/or Data Processors, backup system(s) and/or disaster recovery and business continuity system(s). The Authority retains all applicable rights to instruct the Supplier to destroy all Authority Data according to the terms of this [G-Cloud] contract.

The Supplier is required to ensure adequate and complete Data Destruction of Authority Data, including any relevant and associated non-proprietary Supplier Data or work product stemming from the Buyer Data that the Supplier has not been otherwise permitted to retain or use.

Data Destruction must follow applicable guidance from the UK National Cyber Security Centre (NCSC) and/or the Payment Card Industry Data Security Standard (PCI-DSS) and/or DIN 66399.

Data Destruction for electronic/magnetic storage must include, unless otherwise superseded by NCSC, PCI-DSS or specific Authority guidance: the revocation or otherwise destruction of decryption keys and/or mechanisms to render data inaccessible or otherwise void through the use of modern cryptography; AND/OR data overwriting methods consisting of at least 3 (three) complete overwrite passes of random data.

Data Destruction for printed materials must include, unless otherwise superseded by NCSC or specific Authority guidance: paper cross-shredding methods to satisfy at least the DIN 66399 Level 4 standard with a maximum cross cut particle surface area 160 (one hundred and sixty) millimetres squared with a maximum strip width of 6 (six) millimetres.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.