Nabil Asaad, Associate at Penningtons Manches LLP

The increased rights of individuals in respect of their personal data is one of the key concerns for many organisations as they prepare for the GDPR. With less than three weeks to go before the GDPR comes into force, I want to take a look at one of those new rights.  

Not an entirely new right

As Google learnt to its cost in 2014, the concept of the ‘Right to be Forgotten’ is one already recognised by the courts.  Mario Costeja González brought a claim against Google that internet searching against his name returned newspaper notices from more than 10 years earlier regarding the forced sale of properties. Mr Costeja González argued that these were outdated, no longer relevant and that returning them in search results was prejudicial to him.

The Court of Justice agreed, confirming that, even though information was lawfully available over the internet and regardless of whether or not the information was prejudicial, Mr Costeja González’s right not to have those search results returned outweighed the rights of Google as a search provider to present those results and the rights of Google’s users to receive them.

So the concept of the Right to be Forgotten is not a new one, but the GDPR Right to Erasure goes even further than the Costeja González principle. It brings in an obligation for data to be deleted altogether.

When can an individual require erasure?

The GDPR gives individuals (called ‘data subjects’) the right to have personal data erased “without undue delay” in a number of circumstances. In particular, there is a right to erasure where the data has been processed unlawfully and where the data is no longer required in connection with the purpose for which it was collected.

Importantly, the right to erasure comes into play where the consent upon which data processing was based is withdrawn by the data subject.

Is it possible to decline an erasure request?

Yes, it is.

The GDPR sets out a number of circumstances in which personal data may continue to be held and processed lawfully.  These  include where such data processing is necessary:

  • for compliance with legal obligations, for example in relation to right to work checks for employees;
  • for the establishment, exercise or defence of legal claims. This means that, where litigation by employees or students remains a possibility, it will be lawful to retain relevant data;
  • on limited public interest grounds; and
  • in limited circumstances for scientific or historical research or statistical purposes, for example records of historic exam results.

Practical considerations

Whilst it is clear that the Right to Erasure does not override a legal obligation and is not a tool for disadvantaging the other side in litigation, there is still scope for a data controller (the party holding the data) and data subject to disagree about each other’s rights.

The difficulty for data controllers is that a disagreement with a data subject could prompt the data subject to complain to the Information Commissioner, leading to an investigation of the data controller. Institutions will want to limit the scope for disagreement with students and teachers by ensuring that their data processing is conducted on a GDPR-compliant footing.

In practice this means:

  • giving careful thought to the purposes for which data is being processed, issuing a privacy notice to reflect that and then ensuring that personal data is processed strictly in compliance with that information. Time spent now in thinking through why certain data is held and what is done with it will save time and reduce risk in the future;
  • taking particular account of the key data protection principles of data minimisation and privacy by design and default. Any personal data held should be limited to the minimum necessary, so that all data processing activities are readily defensible;
  • ensuring personal data is held securely in specified locations and that access to it is limited to those persons who need access in connection with its lawful processing;
  • keeping records of any sharing of personal data with third parties ,including other education providers and employers; and
  • putting in place an appropriate document retention and deletion regime to ensure that personal data is held for no longer than necessary.

A key point to bear in mind is  that the Right to Erasure only applies to personal data. If data has been properly anonymised (i.e. the portions of the data that could lead to the data subject being identified from the data have been irreversibly removed) then an erasure request would not apply to the anonymised data.   This is likely to be particularly useful for institutions who want to retain data for statistical purposes but who cannot rely on the limited exemption referred to above.

Responding to an erasure request

Where an erasure request is made, organisations need to ensure they are ready to respond to that request “without undue delay”.

In practice, this will mean:

  • everyone being on the look-out for erasure requests and ensuring that requests are directed promptly to the appropriate person internally who knows how to handle that request;
  • educating the relevant person/team(s) as to how to act and respond appropriately;
  • if the organisation wishes to retain personal data, then considering whether any exemptions apply. It may be that litigation is anticipated, which would justify retention of the data that a student or employee asks to be deleted.  It will be necessary here to consider whether an exemption applies to only part of the data and whether the rest should be erased. Any refusal or exclusion of personal data from erasure should be justifiable and communicated to the data subject; and
  • notifying any data controller with whom the data was shared about the erasure request. This could be burdensome, and good record-keeping will come into its own here.  For example, an ex-employee’s information may have been shared with a possible new employer through the giving of a reference; and ensuring that all data (electronic and hardcopy) that is in-scope for erasure is erased. Again, this is potentially far-reaching where data has been disseminated broadly, particularly electronically.

Where personal data has been made public in an online environment (e.g. the data controller has posted to a website), then the Information Commissioner expects that data controller to take reasonable steps to inform other controllers who are processing the personal data to erase links to, or copies of that data. When deciding what steps are reasonable you may take into account available technology and the cost of implementation.

The Information Commissioner is expected to publish further guidance on the Right to Erasure once the Data Protection Bill (which is currently going through Parliament) is finalised.

Reaching into archives

When considering archive data, a practical distinction may need to be made between archive data that is referred to on an on-going basis and backups made for disaster recovery purposes. To the extent that these include personal data, both are within the scope of the GDPR and a valid erasure request would need to be applied to both.

The operational burden created by the Right to Erasure will depend upon a number of factors, including the nature of the personal data and the inclinations of the data subjects whose data it is. It may be possible to take archive data outside the scope of the GDPR if it can be fully anonymised – i.e. by removing any identifying data so that the archive no longer constitutes personal data.

Alternatively, if the archive data can be limited to personal data that can legitimately be retained notwithstanding an erasure request then in theory, an erasure request could be declined, although this might lead to disappointed data subjects escalating complaints.

Since it may be impractical or undesirable to reach into business recovery backups in order to edit their contents, a pragmatic alternative approach could be to implement a mechanism for ensuring that any personal data that has been the subject of a valid erasure request is not returned to use upon restoration of the backup. Provided that such an approach is justifiable as effecting practical erasure “without undue delay”, it should not be objectionable.

In summary

The GDPR Right to Erasure (or ‘right to be forgotten’) gives current and former students and employees a powerful right to oblige organisations to delete personal data held by those organisations. The right is not absolute, but the exceptions are limited and may involve a balancing exercise between the interests of the data controller and the rights of the data subject. It should be assumed that the balance will lean in favour of the data subject’s privacy, particularly where erasure may be effected without significant prejudice to the data controller.

However, do note that the Right to Erasure applies only to the requester’s personal data. Consideration should be given to solutions for irrevocably de-identifying or redacting records in appropriate cases in order to maintain useful information which the data controller may legitimately retain, whilst complying with its GDPR obligations. For example, institutions will want to keep a record of exam results but do not necessarily need to link these to names in order for them to be useful.

Where a data subject is entitled to erasure, their personal data must be erased without undue delay. Care must be taken to ensure that all such personal data is destroyed and will not be reinstated, for example if data is restored from backup archives following the initial erasure.

If a GDPR-compliant regime cannot be implement ahead of the GDPR coming into effect on 25 May 2018, then a privacy impact assessment should be undertaken in order to understand the impact of any non-compliance upon data subjects and to determine the steps that can be taken in order to mitigate that impact.

Whilst it is insufficient to cite practical difficulties as a reason for non-compliance, evidence of genuine movement towards compliance would be expected to be taken into account by the Information Commissioner in any investigation.

By Nabil Asaad, Commercial Lawyer and GDPR Specialist at Penningtons Manches LLP

About Penningtons Manches LLP: A commercial law firm advising a wide variety of clients but with a particular focus on the education and technology sectors.

You may also be interested in these articles:

Register, Login or Login with your Social Media account:


Advertisers

Upcoming FE Events

Advertiser Skyscrapers

Newsroom Activity

Latest Education News

Further Education News

The FE News Channel gives you the latest education news and updates on emerging education strategies and the #FutureofEducation and the #FutureofWork.

Providing trustworthy and positive Further Education news and views since 2003, we are a digital news channel with a mixture of written word articles, podcasts and videos. Our specialisation is providing you with a mixture of the latest education news, our stance is always positive, sector building and sharing different perspectives and views from thought leaders, to provide you with a think tank of new ideas and solutions to bring the education sector together and come up with new innovative solutions and ideas.

FE News publish exclusive peer to peer thought leadership articles from our feature writers, as well as user generated content across our network of over 3000 Newsrooms, offering multiple sources of the latest education news across the Education and Employability sectors.

FE News also broadcast live events, podcasts with leading experts and thought leaders, webinars, video interviews and Further Education news bulletins so you receive the latest developments in Skills News and across the Apprenticeship, Further Education and Employability sectors.

Every week FE News has over 200 articles and new pieces of content per week. We are a news channel providing the latest Further Education News, giving insight from multiple sources on the latest education policy developments, latest strategies, through to our thought leaders who provide blue sky thinking strategy, best practice and innovation to help look into the future developments for education and the future of work.

In May 2020, FE News had over 120,000 unique visitors according to Google Analytics and over 200 new pieces of news content every week, from thought leadership articles, to the latest education news via written word, podcasts, video to press releases from across the sector.

We thought it would be helpful to explain how we tier our latest education news content and how you can get involved and understand how you can read the latest daily Further Education news and how we structure our FE Week of content:

Main Features

Our main features are exclusive and are thought leadership articles and blue sky thinking with experts writing peer to peer news articles about the future of education and the future of work. The focus is solution led thought leadership, sharing best practice, innovation and emerging strategy. These are often articles about the future of education and the future of work, they often then create future education news articles. We limit our main features to a maximum of 20 per week, as they are often about new concepts and new thought processes. Our main features are also exclusive articles responding to the latest education news, maybe an insight from an expert into a policy announcement or response to an education think tank report or a white paper.

FE Voices

FE Voices was originally set up as a section on FE News to give a voice back to the sector. As we now have over 3,000 newsrooms and contributors, FE Voices are usually thought leadership articles, they don’t necessarily have to be exclusive, but usually are, they are slightly shorter than Main Features. FE Voices can include more mixed media with the Further Education News articles, such as embedded podcasts and videos. Our sector response articles asking for different comments and opinions to education policy announcements or responding to a report of white paper are usually held in the FE Voices section. If we have a live podcast in an evening or a radio show such as SkillsWorldLive radio show, the next morning we place the FE podcast recording in the FE Voices section.

Sector News

In sector news we have a blend of content from Press Releases, education resources, reports, education research, white papers from a range of contributors. We have a lot of positive education news articles from colleges, awarding organisations and Apprenticeship Training Providers, press releases from DfE to Think Tanks giving the overview of a report, through to helpful resources to help you with delivering education strategies to your learners and students.

Podcasts

We have a range of education podcasts on FE News, from hour long full production FE podcasts such as SkillsWorldLive in conjunction with the Federation of Awarding Bodies, to weekly podcasts from experts and thought leaders, providing advice and guidance to leaders. FE News also record podcasts at conferences and events, giving you one on one podcasts with education and skills experts on the latest strategies and developments.

We have over 150 education podcasts on FE News, ranging from EdTech podcasts with experts discussing Education 4.0 and how technology is complimenting and transforming education, to podcasts with experts discussing education research, the future of work, how to develop skills systems for jobs of the future to interviews with the Apprenticeship and Skills Minister.

We record our own exclusive FE News podcasts, work in conjunction with sector partners such as FAB to create weekly podcasts and daily education podcasts, through to working with sector leaders creating exclusive education news podcasts.

Education Video Interviews

FE News have over 700 FE Video interviews and have been recording education video interviews with experts for over 12 years. These are usually vox pop video interviews with experts across education and work, discussing blue sky thinking ideas and views about the future of education and work.

Events

FE News has a free events calendar to check out the latest conferences, webinars and events to keep up to date with the latest education news and strategies.

FE Newsrooms

The FE Newsroom is home to your content if you are a FE News contributor. It also help the audience develop relationship with either you as an individual or your organisation as they can click through and ‘box set’ consume all of your previous thought leadership articles, latest education news press releases, videos and education podcasts.

Do you want to contribute, share your ideas or vision or share a press release?

If you want to write a thought leadership article, share your ideas and vision for the future of education or the future of work, write a press release sharing the latest education news or contribute to a podcast, first of all you need to set up a FE Newsroom login (which is free): once the team have approved your newsroom (all content, newsrooms are all approved by a member of the FE News team- no robots are used in this process!), you can then start adding content (again all articles, videos and podcasts are all approved by the FE News editorial team before they go live on FE News). As all newsrooms and content are approved by the FE News team, there will be a slight delay on the team being able to review and approve content.

 RSS IconRSS Feed Selection Page