The Information Commissioner's Office (ICO) said that organisations that are unable to justify the continued storage of personal data they had been processing may not have to delete the information immediately, subject to certain conditions.
Under the fifth principle of the Data Protection Act (DPA) organisations are not permitted to store personal data processed beyond what is "necessary" for the "purpose" or "purposes" of that processing. In new guidance (5-page / 50KB PDF) the ICO said that it recognised that organisations can face challenges in deleting personal data. To reflect that, it said it would generally accept organisations' compliance with the fifth principle of the DPA as long as the organisations put unjustifiably held information "beyond use".
"The ICO will be satisfied that information has been ‘put beyond use’, if not actually deleted, provided that the data controller holding it: is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way; does not give any other organisation access to the personal data; surrounds the personal data with appropriate technical and organisational security; and commits to permanent deletion of the information if, or when, this becomes possible," the guidance said.
"We will not require data controllers to grant individuals subject access to the personal data provided that all four safeguards above are in place," it said. "Nor will we take any action over compliance with the fifth data protection principle. It is, however, important to note that where data put beyond use is still held it might need to be provided in response to a court order. Therefore data controllers should work towards technical solutions to prevent deletion problems recurring in the future."
Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that not all data protection authorities would necessarily share the ICO's views.
"The ICO will be satisfied that information is put 'beyond use' even in circumstances where a company shows that ‘it will not attempt’ to use the personal data," he said. "I would imagine other regulators would take a very different view."
"The ICO's view raises the question of what an organisation must do in order to show that it will not attempt to use personal data. It has mentioned that organisational and technical safeguards will be necessary but it has not provided further details as to the form or substance of the safeguards required. Further clarification is therefore needed," Scanlon said.
In its guidance the ICO also said that companies could retain personal data they no longer could justify keeping if they were unable, for "technical reasons" to detach the information from other data contained in a "batch" which they legitimately store.
"In cases like this the organisation holding the information may be prohibited by law from using it in the same way that it might use live information," the ICO said. "This could happen if a court has ordered the deletion of information relating to a particular individual but this cannot be done without deleting information about other individuals held in the same batch."
The ICO added that the permanent deletion of electronically stored information from the "ether" was not something that organisations would have to ensure.
"The ICO will adopt a realistic approach in terms of recognising that deleting information from a system is not always a straightforward matter and that it is possible to put information ‘beyond use’, and for data protection compliance issues to be ‘suspended’ provided certain safeguards are in place," the ICO's guide said.
If personal data "has been deleted with no intention on the part of the data controller to use or access this again, but which may still exist in the electronic ether" then it is "no longer live" and "data protection compliance issues are no longer applicable," the watchdog said.