The Information Commissioner's Office ("ICO") published new guidance recently to help organisations better understand the requirement imposed on them by the Data Protection Act 1998 ("the DPA") in relation to deletion of personal data. This guidance is available on the ICO's website, http://www.ico.gov.uk/.
The exact requirements under the DPA in relation to deletion of personal data previously have been open to wide interpretation. The problem is that, in an IT sense, 'deletion' doesn't have the clearest of meanings.
What does the DPA say?
The DPA centres on a number of key issues, or principles, in relation to safeguarding personal data. The fifth principle states that personal data should not be kept for any longer than is necessary to fulfil the purpose for which it was processed in the first place.
While in the case of a paper-based system it is straightforward to destroy the information held, when you are dealing with electronic records, 'deletion' has many permutations. Technically, archiving data will still fall within the scope of the DPA, but holding personal data in an archive system, particularly one that is not easily searchable, is unlikely to be detrimental to the relevant individual.
This has lead to many organisations being unsure as to what they need to do in order to comply with the Act.
What the guidance says
To help organisations navigate this maze of uncertainty, the ICO has said that it will not take action in respect of a breach of the fifth principle in respect of data that, although technically not deleted, has been put 'beyond use', nor will such data fall within the scope of data subject access request. The ICO will consider that data has been put beyond use if the data controller (the person controlling the processing of the data) meets the following criteria:
It is unable to (or will not attempt to) use the personal data in any way that would affect the relevant individual;
It does not give any third parties access to that personal data (unless, for example, it is compelled by law to do so);
It puts in place appropriate technical and organisational measures to safeguard that data (essentially a restatement of the seventh principle);
It commits to permanently deleting the personal data, when possible.
Conclusion
While data controllers will have to meet all four criteria for their obligation to delete data to be suspended, the conditions are not particularly onerous. In fact, they give welcomed clarification on this issue and better reflect how organisations work in practice.
If you would like to discuss whether your current process for archiving complies with the requirements set out in the guidance, or any other aspect of data protection law or information security best practice, please contact Grant Campbell.
Contributor
Partner