For the first time, the UK data protection watchdog has published guidance on deleting personal information. Archiving data and putting it beyond use are also covered, as well as how to be clear with data subjects as to what exactly “deletion” means. Sue Gold reports.
Topic: Privacy
Who: Information Commissioner (ICO)
When: August 2012
Where: UK
Law stated as at: 12 September 2012
What happened:
One of the key data protection principles is that personal data should not be retained for any longer than is necessary for the purposes for which it was originally collected, which in turn means that when such data ceases to be necessary it should be "deleted". The Data Protection Act (" DPA") does not define 'delete' or 'deletion' – but a plain English interpretation implies 'destruction'.
The ICO published Guidance in August 2012 on the deletion of personal data. The guidance note provides clarification to organisations on how they can ensure compliance with the DPA provisions on archiving and deleting personal information.
The ICO’s approach to identifying whether data protection compliance still applies is a pragmatic one, recognising the distinction between situations where information which has been deleted remains on an electronic system prior to being written over and those where an organisation simply has not deleted information as required.
Summary of guidance
With electronic storage it is less easy to be certain that information has actually been deleted as 'deleted' data may still exist, in some form or another, within an organisation's systems e.g. in backup tapes.
The Guidance refers to the ICO’s Online Code which states that transparency is key so that people have a clear understanding of what will happen to their data e.g. when they close their online account or opt out of receiving marketing. It should be clear whether data will be deleted irretrievably, simply deactivated or archived.
In the case of opt-outs for marketing it is advisable to keep a record of who has opted out instead of deleting altogether all data relating to opt-outers.
In this context, it is worth bearing in mind that the CAP Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing, compliance with which is compulsory for all UK marketers, states as follows at 10.5:
Consumers are entitled to have their personal information suppressed. Marketers must ensure that, before use, databases have been run against relevant suppression files within a suitable period. Marketers must hold limited information, for suppression purposes only, to ensure that no other marketing communications are sent as a result of information about those consumers being re-obtained through a third party.
Also, if personal data is merely archived then the rules of data protection, including subject access rights, still apply to it.
Physical deletion or something else?
It is certainly the case that organisations should be absolutely clear with individuals about what they mean by deletion and what actually happens to personal data once they have "deleted" it.
The guidance is intended to counteract the problem of organisations informing people that their personal data has been deleted when, in fact, it is merely archived and could be re-instated. It is also intended to encourage organisations to put safeguards in place for information that has been "deleted" but is still in fact in an organisation's possession. This guidance will be relevant to all organisations that have to, or wish to, delete personal data.
Deletion and archiving
There is a significant difference between deleting information irretrievably, archiving it in a structured, retrievable manner or retaining it as random data in an un-emptied electronic wastebasket.
The ICO recognises that deleting information from a system is not always a straightforward matter and that it is possible to put information 'beyond use' and for data protection compliance issues to be 'suspended' provided certain safeguards are in place.
In the following scenarios the guidance states that data protection compliance issues are no longer applicable:
1. information has been deleted with no intention to use or access this again, but the data may still exist in the electronic ether e.g. it could be waiting to be over-written with other data. This information is no longer live. As such, data protection compliance issues are no longer applicable.
2. information that should have been deleted but is in fact still held on a live system because, for technical reasons it is not possible to delete this information without also deleting other information held in the same batch. The organisation holding the information may be prohibited by law from using it in the same way that it might use live information. This could happen if a court has ordered the deletion of information relating to a particular individual but this cannot be done without deleting information about other individuals held in the same batch.
Putting information 'beyond use'
The ICO will be satisfied that information has been 'put beyond use', if not actually deleted, provided that the data controller holding it:
- is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
- does not give any other organisation access to the personal data;
- surrounds the personal data with appropriate technical and organisational security; and
- commits to permanent deletion of the information if, or when, this becomes possible.
Why this matters:
The guidance is helpful and shows that the ICO is taking a pragmatic approach, recognising some practical challenges facing organisations when seeking to delete data. In addition, as regards data "put beyond use," the guidance states that organisations will not be required to give individuals subject access to that personal data, provided that all four safeguards above are in place. The ICO will also not take any action over compliance with the fifth data protection principle to delete data if it is put beyond use in this way.