Businesses do not have to delete personal data immediately after it is no longer required for processing purposes, according to new guidance from the Information Commissioner’s Office (ICO).
While the fifth principle of the Data Protection Act (DPA) states that personal data should not be kept for longer than the purposes of processing, the ICO recognises the problems businesses can face in deleting such data.
Consequently, the data protection watchdog will accept that organisations are complying with the fifth principle if data they cannot justify keeping is held “beyond use” or cannot be separated from other information in a batch that is stored legitimately.
The guidance states: “The ICO will be satisfied that information has been ‘put beyond use’ if not actually deleted, provided that the data controller holding it:
- is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
- does not give any other organisation access to the personal data;
- surrounds the personal data with appropriate technical and organisational security; and
- commits to permanent deletion of the information if, or when, this becomes possible.”