The UK Information Commissioner’s Office (ICO) has issued guidance on deleting personal data to help organizations understand their obligations and to promote good practice.
The guidance helps compliance particularly with the Fifth Data Protection Principle in relation to archiving or deleting personal data. It also defines what is meant by deletion, archiving and putting personal data ‘beyond use’.
The DPA does not define ‘deletion’ but the guidance states that a plain English interpretation implies ‘destruction. It acknowledges that this is more ambiguous in an electronic environment.
The guidance does make clear that the ICO would be satisfied that data has been ‘put beyond use’ even though it has not been actually deleted provided that the data controller:
- Is unable or will not attempt to use the personal data to inform any decision relating to an individual
- Does not give other organisations access to personal data
- Deploys the appropriate technical and organisational security to protect the data
- Commits to permanent deletion if or when it becomes possible.
If all four safeguards are met, data controllers would not be expected to provide individuals subject access to this data nor would it take action over compliance with the Fifth Data Protection Principle. However, the data may need to be provided in response to a court order.
