In August, the Information Commissioner's Office (ICO) released a short guidance on deleting personal data. The document aims to clarify the regulator's interpretation of some of the requirements surrounding the archiving and deletion of personal data.
For modern day businesses, it is now virtually the norm to store documents in electronic format rather than in paper copy. Employees exchanging e-mails between themselves and with the outside world is now, alongside the telephone, the main means of corporate communication. With this in mind, organisations need to have not only well thought-through business continuity solutions but also strong archiving systems. It is the latter and operating them in compliance with the Data Protection Act 1998 (DPA) that the ICO guidance comments on.
The DPA requires data controllers, through the obligation contained in the fifth data protection principle, not to keep data for longer than necessary for the purposes for which it is processed. This means that, in theory, organisations should be deleting personal data from their electronic systems whenever the purpose for which it was processed has been satisfied and the data is no longer needed. Here, the difficulty arises.
Data controllers’ computer systems often do not have a data deletion option but only a procedure allowing them to archive information off the live database. The ICO recognises this challenge and states that as long as personal data has been put "beyond use" and there is no intention to use the data or access it again, compliance with data protection laws is no longer applicable.
In further clarification of the meaning of the phrase "put beyond use", the ICO sets out the following requirements, which need to be fulfilled for data not deleted to qualify:
- The data controller will not try to use the personal data in any way that could affect the individual.
- No other organisation has access to the archived data.
- Technical and organisational measures have been implemented to protect the personal data.
- Personal data will be permanently deleted when means to do so become available to the data controller.
The guidance also provides a welcome explanation with regard to subject access requests, stating that when personal data has been electronically archived, it does not need to be included in the response to a subject access request. Organisations should note, however, that such archived data must still be supplied in response to a court order.
The main points to take away: Organisations should still attempt to delete the data no longer needed when possible; alternatively, they can archive it off the live system but should still maintain appropriate security measures to protect it.
