The UK Information Commissioner’s Office (“ICO”) has issued guidance on the deletion of personal data. Through this guidance, the ICO seeks to assist organisations with their obligations under the Data Protection Act 1998 (“DPA”) and to promote good practice. The ICO acknowledges that times have changed and that, while one may think placing data in a “recycle” bin deletes data, some electronic form of personal data and documents most likely still exist on a system.
ICO rues any impression given by organisations to its users that deletion of data is absolute. The ICO wants organisations to be absolutely clear on what is meant by deletion and what happens to personal data once deleted. The ICO recounted instances of organisations having run into difficulty where “deleted” data had in fact only been archived and was capable of being reinstated. Where the data has been archived and not permanently deleted, the ICO urges organisations to safeguard such data.
The ICO highlights the “significant difference” between irretrievably deleting information and archiving it in a structured, retrievable manner, and retaining random data in a recycle bin. While the ICO states that archived data should be treated the same as live data, it acknowledges that inert data is less likely to have a detrimental effect on an individual.
While deleting system data may not always be straightforward, the ICO suggests that putting data “beyond use” may suspend data protection compliance issues so long as certain safeguards exist, such as:
- There is no intention to use or access the data
- No other organisation is given access to the data
- The personal data is protected by appropriate technical and organisational security
- There is a commitment to permanently delete the data when technically feasible
For data put “beyond use,” the ICO suspends the right of individuals to access that data and, most importantly, will not take any enforcement action against organisations that retain such data, despite the DPA principle not to keep data for longer than necessary. The ICO acknowledges that data put “beyond use” may still need to be provided to comply with court orders.