This month a Scottish Council whose former employees’ pension records were found in a paper recycle bank in a supermarket car park were fined £250,000 for the data breach. More than 600 files were found at the recycle bins, containing confidential information and, in a significant number of cases, salary and bank account details.
Once an employee has provided their personal data, under the Data Protection Act 1998 (DPA), the employer will be responsible for the security of this information while they hold it. The DPA is based on eight principles of good information handling and these provide specific rights to people relating to their personal information. Under these principles there are obligations placed on organisations processing this information.
The DPA’s fifth data protection principle states:
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes."
The ICO highlights that organisations should be completely clear with individuals what they mean when referring to deletion and what will actually happen to personal data once deleted..
Definition of ‘deletion’
The DPA does not provide a definition of ‘deletion’ but on plain reading this refers to destruction of information or records. When paper records were more common the ICO guidance notes it was easier to say whether information had been deleted (e.g. incineration), however that “the situation can be less certain with electronic storage, where information that has been ‘deleted’ may still exist, in some form or another, within an organisation’s systems”.
The ICOs advice on good practice here relating to personal information online is to:
- Make it clear to people what will happen to the information - i.e. will be deleted irretrievably or simply deactivated or archived?
- Where users have the option to delete personally identifiable information uploaded by them, the deletion must be real - i.e. content should not be recoverable in any way, for example, by accessing a URL from that site
- “It is bad practice to give a user the impression that a deletion is absolute, when in fact it is not.”
Deletion and archiving
The ICO guidance highlights distinctions between deleting information so that it is irretrievable, archiving it in a structured manner (where it is retrievable) and storing it in a random way in an electronic wastebasket.
For example, archived information will be subject to the same data protection principles as ‘live’ information however the ICO recognises that deleting information from systems is not always straightforward. As such the guidance sets out that information can be ‘put beyond use’ and for data protection compliance issues to be ‘suspended’ provided certain safeguards are in place.
Putting information ‘beyond use’
The ICO will be satisfied that information has been ‘put beyond use’, if not actually deleted, provided that the organisation holding it:
- Is not able, or will not attempt, to use the personal data to inform any decision regarding any individual or in a manner that affects the individual in any way;
- Does not give any other organisation access to the personal data;
- Surrounds the personal data with appropriate technical and organisational security; and
- Commits to permanent deletion of the information if, or when, this becomes possible.
Where all four safeguards above are in place the ICO will not take any action over compliance with the fifth data protection principle.