New guidance defines when electronically held personal data is "beyond use" once deleted.
As part of its mission to assist companies to understand and fulfil their obligations under the UK's Data Protection Act 1998 (the DPA), the UK's Information Commissioner's Office (ICO) recently published guidance for organisations on deleting and archiving electronically stored data. A full copy of the guidance is available here. The guidance has been produced to set out how organisations can comply with the DPA, in particular the fifth data protection principle (the fifth principle), when archiving and/or deleting personal information. In addition, it sets out what is meant by deletion, archiving, and putting personal data "beyond use".
The DPA implemented the European Data Protection Directive into UK law. The DPA imposes a number of obligations on data controllers regarding the processing of data. (A data controller is an organisation that determines the purposes for which and the manner in which any personal data is processed.) These obligations are known as the eight data protection principles. The fifth principle states that "[p]ersonal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes." In its Guide to Data Protection, the ICO advised that compliance with the fifth principle means that, in practice, organisations must do the following:
Employer Compliance with the Fifth Principle
All employers in the UK are considered data controllers under the DPA. Information held on employees, such as names, dates of birth, and addresses, will amount to personal data.
In order to comply with the DPA, UK employers need to ensure that they do not keep employee records indefinitely. It is recommended that UK employers create and implement document retention policies and communicate these policies to their workforces. As part of such policies, employee data, such as personnel files, should be deleted after a set period of time.
There are no specific document-retention periods set out in the DPA. However, the ICO Employment Practices Code considers data protection in employment records and makes a number of recommendations. Employers should consider these recommendations when deciding on retention periods for employee records. These recommendations suggest that the retention periods for employee data be based on the business need of protecting against legal risk and that all information retained by employers should be retained only if that information is necessary for a particular purpose.
For example, as there is a possibility that any document relating to an employee could be relevant to a UK Employment Tribunal, County Court, or High Court claim, it is recommended that employee documentation be retained for six years after termination of employment, which is the statutory limitation period for breach of contract claims, and then promptly deleted once that period has passed. It is also recommended that an unsuccessful candidate's documentation be retained for six months after he or she is rejected for a role, which is the maximum time in which an individual could bring an employment law claim, and then promptly deleted once that period has passed.
Deletion of Electronically Held Data
In the case of paper files held by organisations, deletion is straightforward and can be effected by, for example, shredding or incineration. It is more complicated when data is held electronically, as "deleted" data may still exist on an organisation's systems. The ICO's recent guidance provides more information on the meaning of "deletion" for electronically held data.
The ICO has adopted what it calls a "realistic approach" towards the deletion of electronic data and has recognised that it is possible to put data "beyond use" in certain circumstances. Its key findings are as follows:
- is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
- does not give any other organisation access to the personal data;
- puts appropriate security measures in place in relation to the data; and
- commits to permanent deletion of the information if and when it becomes possible.
An example of undeletable data given by the ICO is data held because it is not possible, for technical reasons, to delete such information without deleting other information held in the same place.
The ICO has confirmed that, if the four conditions above are met, it will not require data controllers to grant individuals access to that data via a data subject access request, nor will it take any compliance action under the fifth principle.
Implications for Employers
The majority of employers now hold employee data in both hard copy and soft copy forms, and the ICO's guidance should provide reassurance about the deletion of electronically held information. Employers should review and revise their data retention policies and practices in the light of this new guidance or consider implementing a policy if one is not already in place.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis attorneys: