The Information Commissioner’s Office (ICO) has recently published guidance on deleting and archiving electronically stored personal data under the Data Protection Act 1998 (DPA). The fifth data protection principle under the DPA provides that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”.
The Guidance is intended to counteract the problem of organisations informing people that their personal data has been deleted if, in fact, it is merely archived and could be reinstated. It is relevant to all organisations that have to, or wish to, delete personal data.
The ICO recognises that sometimes it is not possible to delete information permanently but that it can be placed “beyond use” in which case data protection compliance issues can be suspended, providing certain safeguards are in place. The ICO will be satisfied that it is “beyond use” provided the data controller holding it:
- is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects any individual in any way;
- does not give any other organisation any access to the personal data;
- surrounds the personal data with appropriate technical and organisational security;
- commits to permanent deletion of the information if, or when, this becomes possible.
A full copy of the Guidance can be accessed here.