The Information Commissioner's Office (ICO) has published a new guidance note for organisations which sets out a helpful approach to enforcement in cases where personal data has been deleted from live systems but is still held electronically in some form. The ICO has indicated that if organisations put such data 'beyond use', then the ICO will not enforce subject access rights to such data and will not take action in relation to compliance with the fifth data protection principle. (See Related links).
The fifth principle of the Data Protection Act 1998 requires organisations to ensure that 'personal data processed for any purposes shall not be kept for longer than is necessary for that purpose or those purposes'. This means that in circumstances where it is no longer necessary to retain an individual's personal data, an organisation must ensure that the data is deleted (in the case of electronic data) or destroyed (in the case of manual data).
In the recent guidance note, however, the ICO recognises the difficulties that many organisations face in complying with this requirement. For example, data may have been deleted from live systems but still exists in some format while waiting to be over-written. In other cases it may not be possible to delete data that is no longer required without also deleting records that need to be retained.
The ICO has indicated that it will adopt a realistic approach to this problem. So long as information has been put 'beyond use' by an organisation, the ICO will regard data protection compliance issues as being 'suspended'.
For the ICO's purposes, information will be found to have been put 'beyond use' where:
- The organisation in question is not able to or will not attempt to use the information in a way which affects the individual;
- The information cannot be accessed by any other organisation;
- The information is protected by appropriate technical and security measures;
- The organisation will permanently delete the information if and when this becomes possible.
This pragmatic approach from the ICO is a welcome one, particularly in cases where subject access requests are made. We recommend that organisations wishing to take advantage of the 'beyond use' concept review their data deletion and data retention policies and procedures to ensure that they enable the four conditions above to be met.