How many lawyers have written terms into data processing contracts along the following lines: “Upon termination or expiry of this Agreement, the data processor shall delete any and all copies of the Personal Data in its possession or control“?
It’s a classic example of a legal clause that’s ever so easy to draft but, in this day and age, almost impossible to implement in practice. In most data processing ecosystems, the reality is that there seldom exists just a single copy of our data; instead, our data is distributed, backed-up, and archived across multiple systems, drives and tapes, and often across different geographic locations. Far from being a bad thing, data distribution, archival and back-up better preserves the availability and integrity of our records. But the quid pro quo of greater data resilience is that commitments to comprehensively wipe every last trace of our data are simply unrealistic and unachievable.
Nevertheless, once data has fulfilled its purpose, deletion is seemingly what the law requires. The fifth principle of the Data Protection Act 1998 (implementing Article 6(e) of Directive 95/46/EC) says that: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.“ So how to reconcile this black and white approach to data deletion with the reality of modern day data processing systems?
Thankfully, the ICO has the answer, which it provides in a recently-published guidance note on “Deleting personal data” (available here). The ICO starts off by acknowledging the difficulties outlined above, commenting that “In the days of paper records it was relatively easy to say whether information had been deleted or not, for example through incineration. The situation can be less certain with electronic storage, where information that has been ‘deleted’ may still exist, in some form or another, within an organisation’s systems.”
The sensible answer it arrives at is to say that, if data cannot be deleted for technical or other reasons, then it should instead be put ‘beyond use’. Putting data ‘beyond use’ has four components, namely:
- ensuring that the organisation will not and cannot use the personal data to inform any decision in respect of any individual or in a manner that affects the underlying individuals in any way;
- not giving any other organisation access to the personal data;
- at all times protecting the personal data with appropriate technical and organisational security; and
- committing to delete the personal data if or when this becomes possible.
Broadly speaking, you can condense the four components above into: “Delete it if you can and, if you can’t, make sure it’s stored securely and don’t let anyone use it”. Which is, of course, entirely sensible advice.
It does raise one interesting problem though: what to do when the individual data subject requests access to his or her data that has been put beyond use? Here, the ICO again takes a business-friendly view saying simply that “We will not require data controllers to grant individuals subject access to the personal data provided that all four safeguards above are in place.“ In other words, the business does not need to instigate extensive (and expensive) searches of records that have been put beyond use just because an individual requests access to his or her data – for the purposes of subject access, this inert data is treated as if it had been deleted.
But the ICO does issue a warning: “It is bad practice to give a user the impression that a deletion is absolute, when in fact it is not.” So the message to take away is this: make sure you do not commit yourself to data deletion standards that you know, in all likelihood, you can’t and won’t meet. And, by the same token, don’t let your lawyers commit you to these either!