Always make sure that your clients are protected!
The Data Protection Act (the Act) has 8 Principles, the fifth of which has the requirement that ‘personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes’. You must delete such data. Delete is not defined in the Act. With modern data storage systems, deletion is not a simple matter of incineration or shredding of documents.
Whilst pressing the delete button will remove data from your email marketing list, it does not remove it from a hard drive or other digital storage medium. The information remains and in most circumstances is easy enough to access. There are programmes which will promise to virtually shred such data so that it is all but impossible to reconstitute but it is unreasonable to expect you to do this every time one person asks to unsubscribe or a court requires you to delete such records.
The Information Commissioners’ Office (ICO) promises to adopt a realistic approach when deciding how to interpret deletion and states that ‘placing such data beyond use’ will be sufficient in most cases. The most basic requirement in such circumstances is to ensure that the data will not be accidentally accessed so, for instance, a person who unsubscribed will not be sent a marketing email.
It is clear that data placed beyond use, pending being over-written still exists, and the Act requires that such information must not be live. If, for technical reasons, an individual’s record cannot be erased without deleting other data that is required, then you must have systems in place to ensure that it is not referenced.
The ICO does go some way to assist in the understanding of when data is beyond use and gives the following examples:
When a data controller holding it:
– is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
– does not give any other organisation access to the personal data;
– surrounds the personal data with appropriate technical and organisational security; and
– commits to permanent deletion of the information if, or when, this becomes possible.
If all four of the above requirements are satisfied then the ICO will not require data controllers to grant individuals access to their data, although a court order may override this exemption.
Remember that data might well have migrated. It could be on other systems and devices, such as USB memory sticks, lap tops, data cards and on-line cloud type programmes. If you do not have robust systems in place to protect against such duplication, and if not, why not?, then you need to ensure that your deletion processes are comprehensive.
When it comes to disposing of old computers and hard drives it is well to remember that data might well still be retained on them. Whilst a hard disk might have a certain intrinsic value, you should take into account the cost of shredding the data on it and, probably more importantly, the cost to the company should you fail to destroy it all.