ICO Guidance on Deleting Personal Data Under the Data Protection Act

by Morgan Lewis

[author: Matthew Howse and Celia Kendrick]

New guidance defines when electronically held personal data is "beyond use" once deleted.

As part of its mission to assist companies to understand and fulfil their obligations under the UK's Data Protection Act 1998 (the DPA), the UK's Information Commissioner's Office (ICO) recently published guidance for organisations on deleting and archiving electronically stored data. A full copy of the guidance is available here. The guidance has been produced to set out how organisations can comply with the DPA, in particular the fifth data protection principle (the fifth principle), when archiving and/or deleting personal information. In addition, it sets out what is meant by deletion, archiving, and putting personal data "beyond use".


The DPA implemented the European Data Protection Directive into UK law. The DPA imposes a number of obligations on data controllers regarding the processing of data. (A data controller is an organisation that determines the purposes for which and the manner in which any personal data is processed.) These obligations are known as the eight data protection principles. The fifth principle states that "[p]ersonal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes." In its Guide to Data Protection,[1] the ICO advised that compliance with the fifth principle means that, in practice, organisations must do the following:

  • Review the length of time for which they keep personal data.
  • Consider the purpose or purposes for which they hold the data when deciding whether, and for how long, to retain it.
  • Securely delete any data that is no longer needed for these purposes.
  • Update, archive, or securely delete data if it becomes out of date.

Employer Compliance with the Fifth Principle

All employers in the UK are considered data controllers under the DPA. Information held on employees, such as names, dates of birth, and addresses, will amount to personal data.

In order to comply with the DPA, UK employers need to ensure that they do not keep employee records indefinitely. It is recommended that UK employers create and implement document retention policies and communicate these policies to their workforces. As part of such policies, employee data, such as personnel files, should be deleted after a set period of time.

There are no specific document-retention periods set out in the DPA. However, the ICO Employment Practices Code considers data protection in employment records and makes a number of recommendations. Employers should consider these recommendations when deciding on retention periods for employee records.[2] These recommendations suggest that the retention periods for employee data be based on the business need of protecting against legal risk and that all information retained by employers should be retained only if that information is necessary for a particular purpose.

For example, as there is a possibility that any document relating to an employee could be relevant to a UK Employment Tribunal, County Court, or High Court claim, it is recommended that employee documentation be retained for six years after termination of employment, which is the statutory limitation period for breach of contract claims, and then promptly deleted once that period has passed. It is also recommended that an unsuccessful candidate's documentation be retained for six months after he or she is rejected for a role, which is the maximum time in which an individual could bring an employment law claim, and then promptly deleted once that period has passed.

Deletion of Electronically Held Data

In the case of paper files held by organisations, deletion is straightforward and can be effected by, for example, shredding or incineration. It is more complicated when data is held electronically, as "deleted" data may still exist on an organisation's systems. The ICO's recent guidance provides more information on the meaning of "deletion" for electronically held data.

The ICO has adopted what it calls a "realistic approach" towards the deletion of electronic data and has recognised that it is possible to put data "beyond use" in certain circumstances. Its key findings are as follows:

  • Where information has been deleted, but where it still exists in the "electronic ether", such data will not be "live data", and therefore data protection compliance issues will not apply to the data, as long as the data controller does not intend to use or access the data again. The ICO draws an analogy with a bag of shredded paper files-it would be possible to reconstitute the information from the shredded paper, but it would be extremely difficult, and it is unlikely that the organisation would have any intention of doing so.
  • It is possible for a data controller to put undeleted data "beyond use" if the data controller
- is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
- does not give any other organisation access to the personal data;
- puts appropriate security measures in place in relation to the data; and
- commits to permanent deletion of the information if and when it becomes possible.

An example of undeletable data given by the ICO is data held because it is not possible, for technical reasons, to delete such information without deleting other information held in the same place.

The ICO has confirmed that, if the four conditions above are met, it will not require data controllers to grant individuals access to that data via a data subject access request, nor will it take any compliance action under the fifth principle.

Implications for Employers

The majority of employers now hold employee data in both hard copy and soft copy forms, and the ICO's guidance should provide reassurance about the deletion of electronically held information. Employers should review and revise their data retention policies and practices in the light of this new guidance or consider implementing a policy if one is not already in place.

[1]. The ICO's guide is available here.

[2]. The ICO's Employment Practices Code can be accessed here.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis

Morgan Lewis on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.