Right to be forgotten
Much has been made in the press of the ‘right to be forgotten’. However, it is more accurate to describe it as a right to erasure. The ICO have stated that the “broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing”.
The right to erasure is not an absolute right. Instead, individuals have a right to have their personal data erased and to prevent processing in the following circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- Where the personal data was unlawfully processed
- Where the personal data has to be erased in order to comply with a legal obligation
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- When the individual withdraws consent (i.e. the processing was based on consent in the first place)
- Where the personal data is processed in relation to the offer of information society services to a child (“information society services” are, broadly, online services, usually provided for profit)
There are also extra requirements when the request for erasure relates to personal data relating to children.
When can you refuse to erase data?
Data controllers can refuse to comply with a request for erasure to the extent that continued processing is necessary:
- For exercising the right of freedom of expression and information
- For compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority
- For reasons of public interest in the area of public health
- For archiving purposes in the public interest, scientific or historical research purposes or statistical
- For the establishment, exercise or defence of legal claims.
How quickly must you comply?
There is a requirement to act without delay unless there is a legitimate interest not to do so. In those circumstances you must inform the data subject why you are unable to comply with their request.
What happens if you’ve disclosed the data to third parties?
If you have disclosed the personal data to third parties, you must inform the third parties about the request for the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. What is “disproportionate” will depend on the circumstances involved, taking into account the nature of the information and any effect on the individual. While there isn’t clear guidance yet on how this will be judged, the existing guidance under the DPA around “disproportionate effort” concerning subject access requests, suggests this may be the exception rather than the norm, as it is likely that informing third parties will not be disproportionate just because it is costly or time consuming.