Data destruction decision tree — Clear, Purge, Destroy.
NIST 800-88 categorises sanitisation as Clear / Purge / Destroy. The right method depends on storage technology, data classification, and intended disposition. This decision tree walks you through the choice in plain English, with worked examples per storage class.
Low / Moderate / High classification.
NIST 800-88 references three security-categorisation levels: Low, Moderate, High (per FIPS 199). Practical mapping for Canada:
Low — non-sensitive data, no PII, no PHI, no financial. Public marketing materials, generic test data, internal documentation with no confidentiality value.
Moderate — corporate-confidential, IP, internal financial summaries, employee directory-level PII. Default for most corporate IT.
High — PII, PHI, regulated financial data, OSFI-regulated FI customer data, healthcare patient data, government-classified data, M&A deal data. Default for any device that has held bank customer data, patient records, or PII at scale.
Storage technology determines available methods.
Modern SSDs and NVMe drives don't reliably support overwrite-based methods. Magnetic HDDs do. Tape and optical require physical destruction by default.
- Magnetic HDD · All three methods supported — Clear (overwrite), Purge (firmware secure-erase), Destroy (degauss + shred).
- SATA SSD · Purge via SATA Secure Erase command (cryptographic erase if SED). Destroy via shred. Overwrite NOT reliable.
- NVMe SSD · Purge via NVMe Sanitize command (Format with Crypto Erase). Destroy via shred. Overwrite NOT reliable.
- Self-encrypting drive (SED) · Purge via cryptographic erase — drive's internal AES key destroyed. Destroy via shred for high-classification.
- LTO / DLT tape · Destroy by default — degauss-then-shred. Wiping impractical.
- Optical (CD/DVD/Blu-ray) · Destroy by default — particle-size shred.
Re-use within org / resale outside / end-of-life.
Where the device is going next determines whether Clear suffices or Purge / Destroy is required.
Re-use within original organisation — internal redeployment to a different team. Clear method suffices for low-to-moderate classification.
Resale outside the organisation — sold or donated to an external party. Minimum Purge for moderate classification; Destroy for high.
End-of-life destruction — kit not going back into use. Destroy is canonical, but Purge-then-recycle is also valid for moderate classification (e.g., kit going to refurbisher for parts harvest).
Per-device decision matrix
- ♦ Low classification, magnetic HDD, internal re-use → NIST 800-88 Clear (single-pass overwrite).
- ♦ Low classification, SSD, any disposition → NIST 800-88 Purge (Secure Erase command).
- ♦ Moderate classification, magnetic HDD, resale → NIST 800-88 Purge (firmware secure-erase) or Destroy.
- ♦ Moderate classification, SSD/NVMe, any disposition → NIST 800-88 Purge (cryptographic erase or Sanitize).
- ♦ High classification, any storage class, any disposition → NIST 800-88 Destroy (particle-size shred); Purge alone is not sufficient.
- ♦ Tape / optical, any classification → NIST 800-88 Destroy (degauss + shred for tape; shred for optical).
- ♦ Hybrid storage array — per-drive decision per the matrix above. Don't apply array-wide.
- ♦ Modality kit (MRI, CT, ultrasound) with embedded storage — coordinate with OEM service team for safe extraction; then apply matrix to the storage component.
Maxicom Canada — frequently asked
What if we're not sure of the data classification?
Default to High — it's structurally safer. We've never had a customer regret over-classifying; we've seen customers regret under-classifying. The cost difference between Purge and Destroy is small relative to the risk of forensic recovery on under-treated media.