As part of a series of guidance, the Information Commissioner’s Office (ICO) has published new guidance on deleting personal information under the Data Protection Act 1998 (DPA) and how organisations and businesses can comply with the fifth data protection principle as set out in the DPA.
The DPA establishes eight principles of good information handling that provide for specific rights and obligations that parties have in relation to personal data and its handling. The guidance as published by the ICO provides useful tips in relation to what organisations and businesses are required to do in order to comply with the principles. In particular, it provides guidance on the fifth principle that provides that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”. This is of particular importance when it comes to archiving or deleting personal information, or putting personal data “beyond use”.
The DPA does not define “delete” or “deletion”, but it is easy to assume that what is meant by these two terms is “destruction”. According to the guidance, organisations should try to be clear with individuals about what they mean by deletion and what actually happens to personal data once it has been deleted. The purpose behind this is to ensure that organisations inform individuals precisely whether the information has been deleted or merely archived and could therefore be re-instated. The guidance is intended to encourage organisations to take appropriate steps with regard to information that has been deleted but in fact still remains in the organisation’s possession.
The ICO acknowledges that there is a significant difference between “deleting information irretrievably, archiving it in a structured, retrievable manner or retaining it as random data in an un-emptied electronic wastebasket”. The ICO will, however, adopt a realistic approach in its treatment of deleted data. For instance, information deleted with no intention of it being used again e.g., data waiting to be over-written with other data, will be treated as no longer live.
The ICO has also clarified that the information will only be regarded as “put beyond use” if the data controller:
- Is not able to use such information
- Does not give other organisations access to such information
- Protects such information with appropriate technical and organisational security
- Commits to the permanent deletion of such information if, or when, this becomes possible.
Compliance by the organisation with the fifth principle in such circumstances will not be required.
The guidance on deleting personal information is aimed at counteracting the problem of organisations informing people that their personal data has been deleted when, in fact, it is merely archived and could be re-instated. It is also intended to encourage organisations to put safeguards in place for information that has been deleted but is still in the organisation’s possession.