Site guide

My attempt at simplifying the Data Protection Act.

My blog updates

  • Grand Central: Great trains, terrible terms
    Feb 26, 2010
    Recently I travelled to York on Grand Central Railway. I really like their train service because you pay the same fare whether you buy your ticket in advance, at the station, or on the train. ...
  • Filling cabinet breaches
    Feb 1, 2010
    I like to analyse the ICO's undertakings and enforcement notices to see whether there are lessons you can learn from other people's unfortunate mistakes. ...
  • Data Sharing and the Blue Badge Parking Scheme
    Jan 13, 2010
    Back in 2008 the government announced that they were going to reform some of the ways the disabled parking / blue-badge scheme worked to reduce the amount of fraudulent use. ...
  • The future of privacy talk at ORG
    Dec 6, 2009
    Bruce Schneier spoke on the subject of The Future of Privacy at the Open Rights Group on Friday. ...
  • Abuse of radio buttons and check boxes
    Dec 5, 2009
    I’m particularly sensitive to interface design and I saw a real horror this week. ...
CISSP Logo

Principle 5

Delete data you no longer need

What the act says

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

What this means

This is a pretty self-explanatory principle: when you have finished with someone’s information then you should delete it. The act doesn’t define how long is necessary and it is generally sensible to keep data in systems for a few weeks after you’ve finished with it in case you need to go back and check what you did.

You may also be subject to other regulations (FSA, Inland Revenue etc) that mandate you have to keep information for a specific period. However the key to managing your compliance under this principal is to have a data retention policy for each bit of personal data you collect and then make sure it is implemented.

If you have a need to keep historical data for general statistical analysis then it’s a good idea to see if the identifiers which make the data “personal data” can be removed.

How to test

Remember, to comply with the Act you should test every bit of processing of each bit of data against all eight principles.

The fifth principle gives these tests:

  1. Do you have a formal data retention policy for all personal data you have?
  2. When you collect new data, do you know when you will no longer need it, and so delete it?
  3. When you make a copy of some data, how do you verify that all the data you have copied is still needed?

Technology Matters

This is one of the hardest principles of the act to comply with from a technical perspective for two reasons.

  1. People are really good at taking copies of data but they’re really poor at deleting copies ‘just in case’. Sometimes it can be hard to even know that there’s personal data in a particular file, which is where data audits and copy/export controls can be really useful.
  2. Backup. Many organisations run a cycle where they permanently keep annual backups and sometime don’t even over-write their monthly backups. Such backups by definition will store personal data which is no longer needed for the purposes the data were initially obtained for. It is almost impossible to selectively remove parts of data from backup set so this is always going to be a challenge. It can be helped by good backup planning and also making sure that when backups are really no longer needed they’re securely destroyed.

Disclaimer: This is general information only and I’ve tried to simplify the major parts of the Act to make it easy (I hope) to understand. This isn’t legal advice and it isn’t specific advice for you. If you’re looking for help with DPA and Information Security compliance then please contact me.