Deleting Personal Data : Compliance with the 5th Data Protection Principle

A checklist of the questions that you, as data controller, should consider when complying with your obligation to delete personal data which is no longer required to fulfill the purposes for which it was originally collected.

Schedule 1 to the Data Protection Act 1998 (DPA) sets out a number of data protection principles with which a data controller must comply. Under the 5th data protection principle data must not be kept for longer than is necessary for the purpose or purposes for which it was originally collected. In practice, this means that you must put procedures in place to delete data when it is no longer required. Before deciding whether to retain, archive or delete personal data, you should consider the following points.

Suspension of compliance

The Information Commissioner’s Office (ICO) recognises that it is not always possible to completely delete information from all equipment under the control of the data controller or one of his data processors (for example, personal data processed in the context of a cloud computing contract is often “virtualised” or stored on a variety of different servers) and takes therefore a realistic approach by considering that data compliance should be “suspended” in the following situations:

  • The personal data has been deleted but may still exist in the “electronic ether”. Provided that the data controller has no intention to use or access the data again, the ICO no longer considers that data to be live.
  • Personal data on a live system cannot be deleted without also deleting other information held in the same batch. In this case, the data controller may be prohibited by law from using the personal data in the same way that it might use live information.

Putting personal data beyond use

The ICO has confirmed that it will not take any action over compliance with the 5th principle with regard to data that has been put beyond use. This is the case if the data controller:

  •  is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
  • does not give any other organisation access to the personal data;
  • surrounds the personal data with appropriate technical and organisational security; or
  • commits to permanent deletion of the information if, or when, this becomes possible.

Archiving personal data

Information that is archived is subject to the same requirements as live information. This is particularly the case where the data is archived in a structured, retrievable manner. The data controller should therefore only archive a record (rather than delete it) if he still needs to hold it. The data controller must be prepared to give subject access to the personal data, and to comply with the data protection principles, for as long as it is archived.
Deleting personal data

The DPA does not give specific time limits for the retention of data or guidance on the application of this principle, leaving the onus on organisations to determine what is “necessary” in any particular circumstances.

It is good practice for data controllers to review the personal data they hold regularly, and delete data they no longer need.

In order to determine when deleting personal data in accordance with the 5th principle, you should consider the following points:

  • establish standard retention periods for different categories of information taking into account any professional rules or regulatory requirements that may apply to them, the current and future value of the data, also the costs, risks and liabilities associated with retaining the data and the ease or difficulty of making sure the data remains accurate and up to date.
  • put in place a retention policy for ensuring that those retention periods are kept in practice.
  • what is the personal data used for? Data that continues to be necessary on the basis of one of the legitimate grounds on which it was initially collected should be retained for as long as that ground applies. On the other hand, personal data that has only a short-term value may have to be deleted within days. As a general rule, personal data should not be kept “just in case”, or if there is only a small possibility that it will be used.
  • what are the circumstances in which the data has been collected or is retained? Personal data that the data controller collected because of a relationship between him and the data subject should ideally be deleted once the relationship ends unless there is a continuing reason to retain it (for example, billing purposes).
  • what legal or regulatory requirements may mandate the retention or deletion of the data? A data controller is permitted to retain personal data to comply with a legal requirement (for example, tax, auditing, or health and safety) or a requirement set out in professional guidelines to which he is subject.
  • Are any industry practices regarding the retention or deletion of the data in place? Specific business-sector requirements and agreed practices to retain personal data may be in place (for example, credit reference agencies are generally permitted to keep consumer credit data for six years).

The material contained in this article is provided for general purposes only and does not constitute legal or other professional advice. Appropriate legal advice should be sought for specific circumstances and before action is taken.

© , July 2013

 

Please contact:

Stuart Miller - Managing Partner

DD +44 (0)20 7553 9936

View profile »