This is where we have the well known siblings, Accountability and Responsibility.
The data destruction was tasked to a contractor. They were /responsible/ for the data breach.
The paperwork to authorise this work and sign the equipment off of the asset register to the contractor for the purposes of destruction was performed by the NHS Trust. They were /accountable/ for the data breach.
This is a useful distinction to note - I've been in many a discussion on accountability and responsibility when it comes to being in an authoritative position. As the accountable person, questions may be asked of you, however if you were not responsible for the (in)action, you are not liable.
I would see the contractor getting into some serious trouble over this, with the NHS being given a bit of a telling off being told to use better judgement in who it chooses to make responsible for such things.
Given the requirement for more and more documentation with the CQC and the very long running "If it's not written down then it didn't happen", there must be a policy to deal with data desctruction and a fully auditable trail that can track the equipment coming in to the NHS, through the NHS and out of the NHS to the contractor.