UK Information Commissioner’s Office issues Guidance on the Deletion of Personal Data under the Data Protection Act 1998
On 16 August 2012, the ICO published guidance on deleting personal data under the Data Protection Act 1998 (DPA). The guidance describes how organisations can ensure compliance with the DPA when they delete or archive personal data, and explains what the ICO means by deletion and archiving and introduces the concept of putting personal data ‘beyond use.’ The guidance aims to counteract the problem of organisations informing people that their personal data has been deleted when, in fact, it is merely archived and could be re-instated; archived information is “subject to the same data protection rules as ‘live’ information, although information that is in effect inert is far less likely to have any unfair or detrimental effect on an individual than live information.”
Given the fifth data protection principle which provides that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes,” the deletion of personal data is an important activity for organisations which control or process personal data. The ICO notes that, although the DPA does not define “delete” or “deletion”, a plain English interpretation implies “destruction” which, in the case of electronic storage, is less certain than, say, incineration of paper records, since information which has been “deleted” may still exist within an organisation’s systems in some form or other.
The ICO says that it will “adopt a realistic approach in terms of recognising that deleting information from a system is not always a straightforward matter and that it is possible to put information ‘beyond use’, and for data protection compliance issues to be ‘suspended’ provided certain safeguards are in place.” The ICO gives specific examples of where putting information ‘beyond use’ would be an acceptable alternative to ‘deletion’. For example, an acceptable alternative may arise where for technical reasons, it is not possible to delete this information without also deleting other information held in the same batch, or where information has been deleted with no intention on the part of the data controller to use or access this again, but which may still exist in the electronic ether where it is waiting to be over-written with other data. The ICO will be satisfied that information has been ‘put beyond use’ if the “data controller holding it:
- is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
- does not give any other organisation access to the personal data;
- surrounds the personal data with appropriate technical and organisational security; and
- commits to permanent deletion of the information if, or when, this becomes possible.”
With these safeguards in place, ‘data compliance suspension’ applies, meaning that the ICO will not require data controllers to grant subject access requests submitted by individual data subjects nor will the ICO take action over compliance with the fifth data protection principle. Businesses should take note that with recent high profile incidents, such as Google’s failure to wipe data gathered as part of its Street View service under a 2010 deal with the ICO, the ICO is taking a hard look at how organisations deal with important issues such as deletion and archiving of personal data, and should take steps to ensure that they have designed and implemented their data security policies appropriately. As a word of caution, the ICO does advise that where data ‘put beyond use’ is still held, it might need to be provided in response to a court order, hence data controllers should work towards technical solutions to prevent deletion problems recurring in the future.