There may come a time when your organisation no longer wants an individual’s data at the end of whatever process the data was taken for. But the individual has the right to require that you remove that data at an earlier time.
For this to take place the following have to apply:
- The data is no longer needed for the reason for which it was originally requested (remember the individual may inform you they want no more of your product/service – even if you feel you can supply more of the product/service)
- The original consent to retain the data, is withdrawn – the choice of the individual
- If you felt that the “Legitimate Interest” clause was appropriate for the collection/retention of the data, and the individual objects and either the original grounds were shaky, or the circumstances have changed – then removal is required
- You are using the data for direct marketing and the individual wants this to cease
- Where the data was actually illegally processed in the first place
- Where there is a legal obligation to remove the data
- Where the data pertains to a child and is therefore no longer required
Such a request for data removal and destruction can be made vocally or in writing.
As before, it is necessary that you identify who is making the request as only an individual whose data you have can request that their data be removed. The process of identifying the identity of the individual must conform to the “Reasonable Means” approach.
You must respond to a request without delay and at least within one month of receipt.
This can be extended by up to two months but only if the individual has been contacted and provided with an explanation as to why the delay will take place.
Your organisation can refuse the request to destroy the data if it is processing the data for the purpose of:
- Allowing the right of freedom of expression and information
- A legal obligation
- Performing a public interest task or in the use of official authority
- For archiving for legal reasons, public interest, scientific research, historic research or statistical purposes (this seems a wide ranging option)
- To use for or against a legal claim
- For public health purposes in the public interest
- Where you are processing the data under the supervision of a health professional, where necessary for monitoring medicine or preventing issues
Remember that data removal requires that all copies of that data (hard and virtual) be destroyed, redacted, deleted or returned to the individual. This applies to copies of the data that were passed to third parties too.
Finally, you need to ensure you keep sufficient information to prove that you have carried this out. This must state what data has been removed so that there is a record showing that the data is no longer present. It will be interesting how the ICO and the courts will determine how this can be done!