ICO issues new guidance on deleting personal data
The collection, storage and use of personal data in the UK is governed by the Data Protection Act 1998 (DPA). DPA compliance is policed by the Information Commissioner's Office (ICO).
The DPA defines "personal data" broadly so that it catches almost all data relating to an identifiable living individual, regardless of whether the data is stored in hard-copy or electronic format.
Under the DPA, all data controllers (any organisation that determines, either alone or jointly with others, the purposes for which and the manner in which any personal data is, or is to be, processed) must ensure they comply with the eight data protection principles set out in the DPA whenever they collect, store or use personal data. Those eight principles require that personal data must:
- be processed fairly and lawfully
- be obtained and processed only for one or more specified and lawful purposes
- be adequate, relevant and not excessive
- be accurate and kept up-to-date
- not be kept for longer than necessary
- be processed in accordance with the rights of the individual
- be kept secure, and
- not be transferred outside of the European Economic Area unless adequate levels of protection exist.
Unfortunately, the DPA does not say how long personal data may be kept for the purposes of the fifth principle (the requirement that personal data must not be kept for longer than necessary) so organisations must make their own decision as to what is appropriate in the circumstances. The general rule is that personal data should be deleted or destroyed once the purpose for which it was collected has been completed.
As organisations become more technologically advanced, compliance with the fifth principle becomes more difficult. In the 'old days' it was fairly easy for organisations to shred hard copy files to destroy redundant data. However, the dawn of the 'tech era' has made compliance tricky. It is now extremely difficult from both a practical and technological perspective for organisations to delete personal data from their systems. It is often the case for data that has been 'deleted' to still exist in some form within the organisation's systems, such as on back-up servers or in electronic waste baskets.
The ICO in its new guidance says it recognises that deleting personal data from a system is not always straightforward and that it is possible to put personal data 'beyond use' and for data protection compliance to be suspended in respect of such personal data provided that certain safeguards are put in place. Those safeguards dictate that the organisation:
- is not able, and will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects any individual in any way
- does not give any other organisation access to the personal data
- surrounds the personal data with appropriate technical and organisational security measures, and
- commits to the permanent deletion of the personal data if, or when, this becomes possible.
In its guidance, the ICO says that organisations can retain personal data they would otherwise be required to delete if, for technical reasons, they are unable to detach that personal data from other legitimately held personal data contained in the same batch.
The ICO has also acknowledged that the DPA does not apply to personal data that has been deleted with no intention of future use, but which may exist in the electronic ether.
The guidance is extremely useful and shows that the ICO will take a sensible approach to the fifth principle.
However, organisations should note that the ICO's guidance does not give them carte blanche to keep personal data forever. Putting personal data beyond use should be a temporary measure and organisations should take what steps they can to permanently delete personal data as soon as the purpose for which it was collected has been completed.