Disposal of Outdated Personal Information

One of the eight fundamental principles of the Data Protection Act is that personal information must be “not kept for longer than is necessary”.

It is up to data controllers to determine reasonable limits for what this means for their own companies. They should ensure that these limits are recorded in a data retention policy, and that this policy is adhered to.

Businesses should regularly purge their databases of stale records, following the advice laid out in their data retention policy. They should also have a procedure in place for allowing individuals to request that their details be updated or deleted.

Setting Time Limits for Retention of Records

It may be necessary to keep employee records for people who have left the business’s employment, in order to help with queries that may arise, for example the provision of references or confirmation of pension entitlement.

If an electronic history of employees or customers is kept in order to defend against possible legal claims, it should be disposed of once the statutory time limit for such a claim has expired.

Data controllers should apply reasoned common sense to determine sensible and realistic retention periods for other types of personal details used within the business, and must record and enforce this policy.

Exceptions for Research

Section 33 of the Data Protection Act is a special provision for personal data held purely for research. These records may be held indefinitely as long as they are not be used for making decisions about individuals or in any way that could cause substantial distress to them.

A better approach in general is to make records used for research anonymous by stripping fields from them so the individuals to which each record refers cannot be discovered.

Clearing Your Own Tracks Online

Data, once published online, has a tendency to spread. If you have ever created a web page, posted messages to an online forum or used a social networking site, chances are that your message has been copied all over the place. Search engines will have indexed the content, and may even have copied it wholesale to their own servers as a cache. Other people may have quoted it and linked to it. Once you have let the cat out of the bag, it’s very difficult to encourage it to go back in!

You may decide that information held about you online is embarrassing – perhaps you were a vocal animal rights activist a few years ago and you now own a chain of hamburger restaurants! There are some steps you can take to remove or update information about yourself:

• if you own the copyright to indexed or cached material, you can ask search engines to remove it; most have submission forms or email addresses for this purpose
• if a public wiki (en editable website) makes inaccurate claims about you, then you could correct it yourself (although changing entries about yourself is often frowned upon, so you may be better off getting someone else to make the change for you)

A Continuous Cycle of Cleansing

The disposal of outdated personal information should be a consideration at all stages of a business. For example, when a new employee is hired, it may not be appropriate to transfer all the details provided by them during the hiring process to their staff record. Similarly, when an employee leaves the company, any details that are no longer necessary should be purged.

In the same way, data a business holds on its customers should be cleaned as an ongoing process, and should be disposed of once it is no longer useful for the process for which it was originally collected. Businesses are obligated to do this by law.

EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) superseded the UK Data Protection Act 1998 on May 25, 2018. The new policy expands the rights of individuals to control how their personal data is collected and processed. It places a range of new obligations on organisations to be more accountable for data protection.

Organisations are obliged to have technical and procedural measures in place to safeguard the personal information they hold.