The Information Commissioner in the UK has published guidance on how organizations can comply with the Data Protection Act in relation to archiving or deleting personal information. Problems often arise in this area for employers in Europe when they receive a subject access request from an employee (or ex-employee). A subject access request is a request for a copy of all the personal data that an employer is processing about an individual, and such a request can require far-ranging searches and disclosure of thousands of emails, documents and other information. They are often used as a tactic in litigation and can be very effective in obtaining what is effectively early disclosure of a wide-ranging set of documents.
The guidance highlights the problems with the idea of deletion, which used to be a simple concept when records were all stored on paper. Now that almost all records are retained in electronic format, ‘deletion’ can mean many different things.
If personal data is simply archived and not actually permanently deleted, then it is still subject to the rules of data protection including subject access requests, which can mean that in response to such a request, until now an employer would be required to restore all the information and provide a copy of it to the data subject.
However, the information commissioner has issued some surprisingly practical guidance on this topic. They say that they will ‘adopt a realistic approach’ in recognizing that deleting information is not always a straightforward matter and that it is possible to retain information but have put it beyond use. In such a case, they will accept that the data protection principles are suspended provided that certain safeguards are in place.
So if data has been deleted with no intention of being used again but might still exist in the electronic ether—for example, waiting to be written over, or information that cannot be deleted because for technical reasons it is not possible to delete it without deleting other information held in the same batch—then the information will not be considered live. This means that it would not be considered to be covered by the data protection principles and not therefore form part of any subject access request provided that the Information Commissioner is satisfied that the information has been ‘put beyond use’. Information will be considered beyond use if the organization in question:
- Is not able to use the personal data (and does not use it) to inform any decision in respect of an individual;
- Does not give any other organization access to the personal data;
- Surrounds the personal data with appropriate technical and organizational security; and
- Commits to permanent deletion of the information if, and when, this becomes possible.
Provided these safeguards are in place the Information Commissioner will not grant individuals subject access to the information and it will not take compliance action in this regard. It is still possible that separate court orders for specific disclosure can be made in relation to information that is archived, but the Information Commissioner’s approach will help in general disclosure requests in relation to arguments of proportionality in the Employment Tribunal and assist in avoiding having to produce wide-ranging categories of documents that have been archived.