The Information Commissioner’s Office has published guidance for organisations on the deletion of personal data. The guidance sets out that, subject to certain conditions, data can be retained even where it is no longer necessary for data processing purposes; unless those conditions are fulfilled, such retention would likely be a breach of the fifth data protection principle set out in the Data Protection Act 1998, which sets out that personal data cannot be stored for longer than is necessary.
The ICO recognises that electronic data cannot always realistically be physically destroyed. Therefore, the condition for continued retention is that data is put “beyond use”. This means that the data controller holding the information is not able or will not attempt to use that data, does not give access to that data to any third party, keeps that data with appropriate security and commits to the permanent deletion of that data when deletion becomes possible.