This week I am delighted to be a guest blogger for the Political Idealist website, which covers political, news and current affairs both in the U.K. and around the world. The Political Idealist is a website maintained by the talented Jack H. G. Darrant, who has keen interests in British democracy and environmentalism, regularly writes for The Independent newspaper, in addition to his weekly contributions in the ever popular ShoutOut blog. If you would like to know more, or enjoy this article, check-out the Political Idealist.
Many have questioned the safety of our personal data. Now it appears that a loophole in the law could result in organisations holding personal data records, even when the information is no longer necessary for processing purposes.
Recent data protection guidance published by The Information Commissioner’s Office (ICO) has revealed that organisations that are unable to justify the storage of personal data they had been previously processing, may not have to delete the information immediately, despite the fifth principle of the Data Protection Act 1998, which states that organisations are not permitted to store personal data processed beyond what is “necessary” for the “purpose” or “purposes” of that processing.
However, the ICO has stated in their new guidance, that recognised challenges can be faced by organisations during the process of deleting personal data. Thus, the ICO has stated that it would generally accept those “challenges”, provided that organisations put unjustifiably held information “beyond use”. The guidance states that:
“The ICO will be satisfied that information has been ‘put beyond use’, if not actually deleted, provided that the data controller holding it: is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way; does not give any other organisation access to the personal data; surrounds the personal data with appropriate technical and organisational security; and commits to permanent deletion of the information if, or when, this becomes possible. We will not require data controllers to grant individuals subject access to the personal data provided that all four safeguards above are in place[…] Nor will we take any action over compliance with the fifth data protection principle. It is, however, important to note that where data put beyond use is still held it might need to be provided in response to a court order. Therefore data controllers should work towards technical solutions to prevent deletion problems recurring in the future”
The ICO have also stated that organisational and technical safeguards will be necessary, yet they have failed to provide any guidance as to the procedure of how organisations should implement the safeguards required, to ensure that organisations will not attempt to use personal data after it is no longer required. Furthermore, the ICO guidance stated that companies are allowed to retain personal data that is no longer justifiable in keeping, if they are unable to detach the information from other data contained in a legitimately stored “batch”, if the result of a “technical reason”. “In cases like this the organisation holding the information may be prohibited by law from using it in the same way that it might use live information,” the ICO said.
An example provided by the ICO is where: ” a court has ordered the deletion of information relating to a particular individual but this cannot be done without deleting information about other individuals held in the same batch.”
However, the ICO added that the permanent deletion of electronically stored information from the “ether” was not something that organisations would have to ensure. Thus, “the ICO will adopt a realistic approach in terms of recognising that deleting information from a system is not always a straightforward matter and that it is possible to put information ‘beyond use’, and for data protection compliance issues to be ‘suspended’ provided certain safeguards are in place“.
It would appear that the general view of acceptance by the ICO is that if personal data has been deleted with no intention to use or access this again, but still exists in the electronic ether, then data protection compliance is no longer applicable, because the data is no longer live. A potential problem could arise when the computers are later discarded, as there appears to be no guidance as to how to discard the equipment in a manner that would prevent access to the computer’s ether by a third party.
There are numerous methods in which third party sales companies and rogues can attain our information, ranging from companies selling our information onto third parties, unshreaded documents left lying around in an outside bin, the internet, public electoral roll records, or even the telephone directory. Perhaps this latest loophole discovery also answers the question as to where some international companies may be attaining our supposedly private information from.
This matter links in with the view of The Working Party, a committee made up of representatives from each of the EU national data protection authorities (DPAs), who have recommended that individuals should generally not be identifiable when their personal data is being processed. They recommend that organisations should be required to “anonymise or pseudonymise” personal data when processing the information if it is “feasible and proportionate”, as recommended as part of a published opinion on the European Commission’s proposed General Data Protection Regulation.
I am sure most of us will be in accord with The Working Party’s recommendation that:
“The concept of pseudonymisation should be introduced more explicitly in the instrument (for example by including a definition on pseudonymised data, consistent with the definition of personal data), as it can help to achieve better data protection, for example, in the context of data protection by design and default.”
Perhaps “pseudonymised data”, if possible, is one way to prevent the possibility of potential abuse of data retrieval, should companies be negligent in their methods of discarding of any obsolete computer equipment during future system upgrades.
I’m certainly in agreement with you here! I try very hard to dissuade people that I advise as part of my job from collecting any personal data unless it is absolutely required. Quite often it isn’t!
wow… didn’t think about this till I read your article.. nicely written and quite informative. Thanks for that.