Call us on:  0808 172 93 22

Deleting Personal Data under the Data Protection Act 1998

Summary: The Information Commissioner’s Office (‘ICO’) has published new guidance on deleting personal data.

The Guidance 

The Information Commissioner’s Office (‘ICO’) has published new guidance on deleting data under the Data Protection Act 1998 (‘DPA’) dated 12 August 2012, which is of relevance to data controllers such as employers. The guidance sets out how organisations can ensure compliance with the DPA, in particular the fifth data protection principle when archiving and deleting personal data. The fifth principle provides that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”.

The new guidance can be found in full using the following link: Deleting Personal Data

In summary, the guidance is intended to:

Deleting information irretrievably is substantially different to archiving it in a structured and retrievable manner or retaining it as random data in an un-emptied electronic wastebasket. Employers should be aware that archived information is subject to the same data protection rules as ‘live information.’

The ICO does however recognise that deleting information from a system particularly when stored electronically is not always a straightforward matter. The ICO acknowledges that instead it is possible to put information ‘beyond use’ and for data protection compliance issues to be ‘suspended’ provided certain safeguards are in place. Information may need to be put ‘beyond use’ if for example the information has been deleted but may still exist in the electronic system because, for example, it is waiting to be over-written with other data.

Putting Data ‘Beyond Use’

The ICO will be satisfied that information has been put ‘beyond use,’ if not actually deleted, provided that the data controller holding it:

(1)     is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;

(2)     does not give any other organisation access to the personal data;

(3)     surrounds the personal data with appropriate technical and organisational security; and

(4)     commits to personal deletion of information if, or when, this becomes possible.

The ICO has made clear that they will not require data controllers to grant individuals subject access to the personal data put ‘beyond use’ provided that all four safeguards above are in place. Nor will the ICO take any action over compliance with the fifth data principle. The ICO has advised that where data put ‘beyond use’ is still held, it might need to be provided in response to a Court Order; data controllers should therefore work towards technical solutions to prevent deletion problems recurring in the future.

Reminder

It is important to remember that if personal data is to be disposed of it must be done securely and effectively. In order to ensure compliance not only with the Data Protection legislation but with the Information Commissioner’s Employment Practice Codes, employers should ensure that they have the structure and processes in place to ensure compliance. This can include appointing someone within the organisation to be responsible for (and trained in) the management of employment records in accordance with these requirements. Employers need also ensure they have checked if they are required to give “notification” to the ICO. Whilst there are exemptions, a failure to notify if required to do so is a criminal offence. A self-assessment form can be found on the ICO website, (www.ico.gov.uk).

Contact Details

For more information about your data protection obligations please contact:

fgmedia@floydgraham.co.uk

+44 (0) 1604 871143

This update is for general guidance only and does not constitute definitive advice.

Updated: by FG Solicitors
Call us on:  0808 172 93 22

DELETING PERSONAL DATA UNDER THE DATA PROTECTION ACT 1998

Summary: The Information Commissioner’s Office (‘ICO’) has published new guidance on deleting personal data.

The Guidance 

The Information Commissioner’s Office (‘ICO’) has published new guidance on deleting data under the Data Protection Act 1998 (‘DPA’) dated 12 August 2012, which is of relevance to data controllers such as employers. The guidance sets out how organisations can ensure compliance with the DPA, in particular the fifth data protection principle when archiving and deleting personal data. The fifth principle provides that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”.

The new guidance can be found in full using the following link: Deleting Personal Data

In summary, the guidance is intended to:

  • counteract the problems organisations have when informing people that their personal data has been deleted when it has been archived and could be re-instated; and
  • encourage organisations to put safeguards in place for information that has been deleted but is still in fact in an organisation’s possession.

Deleting information irretrievably is substantially different to archiving it in a structured and retrievable manner or retaining it as random data in an un-emptied electronic wastebasket. Employers should be aware that archived information is subject to the same data protection rules as ‘live information.’

The ICO does however recognise that deleting information from a system particularly when stored electronically is not always a straightforward matter. The ICO acknowledges that instead it is possible to put information ‘beyond use’ and for data protection compliance issues to be ‘suspended’ provided certain safeguards are in place. Information may need to be put ‘beyond use’ if for example the information has been deleted but may still exist in the electronic system because, for example, it is waiting to be over-written with other data.

Putting Data ‘Beyond Use’

The ICO will be satisfied that information has been put ‘beyond use,’ if not actually deleted, provided that the data controller holding it:

(1)     is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;

(2)     does not give any other organisation access to the personal data;

(3)     surrounds the personal data with appropriate technical and organisational security; and

(4)     commits to personal deletion of information if, or when, this becomes possible.

The ICO has made clear that they will not require data controllers to grant individuals subject access to the personal data put ‘beyond use’ provided that all four safeguards above are in place. Nor will the ICO take any action over compliance with the fifth data principle. The ICO has advised that where data put ‘beyond use’ is still held, it might need to be provided in response to a Court Order; data controllers should therefore work towards technical solutions to prevent deletion problems recurring in the future.

Reminder

It is important to remember that if personal data is to be disposed of it must be done securely and effectively. In order to ensure compliance not only with the Data Protection legislation but with the Information Commissioner’s Employment Practice Codes, employers should ensure that they have the structure and processes in place to ensure compliance. This can include appointing someone within the organisation to be responsible for (and trained in) the management of employment records in accordance with these requirements. Employers need also ensure they have checked if they are required to give “notification” to the ICO. Whilst there are exemptions, a failure to notify if required to do so is a criminal offence. A self-assessment form can be found on the ICO website, (www.ico.gov.uk).

Contact Details

For more information about your data protection obligations please contact:

fgmedia@floydgraham.co.uk

+44 (0) 1604 871143

This update is for general guidance only and does not constitute definitive advice.