The increased rights of individuals in respect of their personal data is one of the key concerns for many organisations as they prepare for the GDPR. With less than three weeks to go before the GDPR comes into force, I want to take a look at one of those new rights.
Not an entirely new right
As Google learnt to its cost in 2014, the concept of the ‘Right to be Forgotten’ is one already recognised by the courts. Mario Costeja González brought a claim against Google that internet searching against his name returned newspaper notices from more than 10 years earlier regarding the forced sale of properties. Mr Costeja González argued that these were outdated, no longer relevant and that returning them in search results was prejudicial to him.
The Court of Justice agreed, confirming that, even though information was lawfully available over the internet and regardless of whether or not the information was prejudicial, Mr Costeja González’s right not to have those search results returned outweighed the rights of Google as a search provider to present those results and the rights of Google’s users to receive them.
So the concept of the Right to be Forgotten is not a new one, but the GDPR Right to Erasure goes even further than the Costeja González principle. It brings in an obligation for data to be deleted altogether.
When can an individual require erasure?
The GDPR gives individuals (called ‘data subjects’) the right to have personal data erased “without undue delay” in a number of circumstances. In particular, there is a right to erasure where the data has been processed unlawfully and where the data is no longer required in connection with the purpose for which it was collected.
Importantly, the right to erasure comes into play where the consent upon which data processing was based is withdrawn by the data subject.
Is it possible to decline an erasure request?
Yes, it is.
The GDPR sets out a number of circumstances in which personal data may continue to be held and processed lawfully. These include where such data processing is necessary:
- for compliance with legal obligations, for example in relation to right to work checks for employees;
- for the establishment, exercise or defence of legal claims. This means that, where litigation by employees or students remains a possibility, it will be lawful to retain relevant data;
- on limited public interest grounds; and
- in limited circumstances for scientific or historical research or statistical purposes, for example records of historic exam results.
Whilst it is clear that the Right to Erasure does not override a legal obligation and is not a tool for disadvantaging the other side in litigation, there is still scope for a data controller (the party holding the data) and data subject to disagree about each other’s rights.
The difficulty for data controllers is that a disagreement with a data subject could prompt the data subject to complain to the Information Commissioner, leading to an investigation of the data controller. Institutions will want to limit the scope for disagreement with students and teachers by ensuring that their data processing is conducted on a GDPR-compliant footing.
In practice this means:
- giving careful thought to the purposes for which data is being processed, issuing a privacy notice to reflect that and then ensuring that personal data is processed strictly in compliance with that information. Time spent now in thinking through why certain data is held and what is done with it will save time and reduce risk in the future;
- taking particular account of the key data protection principles of data minimisation and privacy by design and default. Any personal data held should be limited to the minimum necessary, so that all data processing activities are readily defensible;
- ensuring personal data is held securely in specified locations and that access to it is limited to those persons who need access in connection with its lawful processing;
- keeping records of any sharing of personal data with third parties ,including other education providers and employers; and
- putting in place an appropriate document retention and deletion regime to ensure that personal data is held for no longer than necessary.
A key point to bear in mind is that the Right to Erasure only applies to personal data. If data has been properly anonymised (i.e. the portions of the data that could lead to the data subject being identified from the data have been irreversibly removed) then an erasure request would not apply to the anonymised data. This is likely to be particularly useful for institutions who want to retain data for statistical purposes but who cannot rely on the limited exemption referred to above.
Responding to an erasure request
Where an erasure request is made, organisations need to ensure they are ready to respond to that request “without undue delay”.
In practice, this will mean:
- everyone being on the look-out for erasure requests and ensuring that requests are directed promptly to the appropriate person internally who knows how to handle that request;
- educating the relevant person/team(s) as to how to act and respond appropriately;
- if the organisation wishes to retain personal data, then considering whether any exemptions apply. It may be that litigation is anticipated, which would justify retention of the data that a student or employee asks to be deleted. It will be necessary here to consider whether an exemption applies to only part of the data and whether the rest should be erased. Any refusal or exclusion of personal data from erasure should be justifiable and communicated to the data subject; and
- notifying any data controller with whom the data was shared about the erasure request. This could be burdensome, and good record-keeping will come into its own here. For example, an ex-employee’s information may have been shared with a possible new employer through the giving of a reference; and ensuring that all data (electronic and hardcopy) that is in-scope for erasure is erased. Again, this is potentially far-reaching where data has been disseminated broadly, particularly electronically.
Where personal data has been made public in an online environment (e.g. the data controller has posted to a website), then the Information Commissioner expects that data controller to take reasonable steps to inform other controllers who are processing the personal data to erase links to, or copies of that data. When deciding what steps are reasonable you may take into account available technology and the cost of implementation.
The Information Commissioner is expected to publish further guidance on the Right to Erasure once the Data Protection Bill (which is currently going through Parliament) is finalised.
Reaching into archives
When considering archive data, a practical distinction may need to be made between archive data that is referred to on an on-going basis and backups made for disaster recovery purposes. To the extent that these include personal data, both are within the scope of the GDPR and a valid erasure request would need to be applied to both.
The operational burden created by the Right to Erasure will depend upon a number of factors, including the nature of the personal data and the inclinations of the data subjects whose data it is. It may be possible to take archive data outside the scope of the GDPR if it can be fully anonymised – i.e. by removing any identifying data so that the archive no longer constitutes personal data.
Alternatively, if the archive data can be limited to personal data that can legitimately be retained notwithstanding an erasure request then in theory, an erasure request could be declined, although this might lead to disappointed data subjects escalating complaints.
Since it may be impractical or undesirable to reach into business recovery backups in order to edit their contents, a pragmatic alternative approach could be to implement a mechanism for ensuring that any personal data that has been the subject of a valid erasure request is not returned to use upon restoration of the backup. Provided that such an approach is justifiable as effecting practical erasure “without undue delay”, it should not be objectionable.
The GDPR Right to Erasure (or ‘right to be forgotten’) gives current and former students and employees a powerful right to oblige organisations to delete personal data held by those organisations. The right is not absolute, but the exceptions are limited and may involve a balancing exercise between the interests of the data controller and the rights of the data subject. It should be assumed that the balance will lean in favour of the data subject’s privacy, particularly where erasure may be effected without significant prejudice to the data controller.
However, do note that the Right to Erasure applies only to the requester’s personal data. Consideration should be given to solutions for irrevocably de-identifying or redacting records in appropriate cases in order to maintain useful information which the data controller may legitimately retain, whilst complying with its GDPR obligations. For example, institutions will want to keep a record of exam results but do not necessarily need to link these to names in order for them to be useful.
Where a data subject is entitled to erasure, their personal data must be erased without undue delay. Care must be taken to ensure that all such personal data is destroyed and will not be reinstated, for example if data is restored from backup archives following the initial erasure.
If a GDPR-compliant regime cannot be implement ahead of the GDPR coming into effect on 25 May 2018, then a privacy impact assessment should be undertaken in order to understand the impact of any non-compliance upon data subjects and to determine the steps that can be taken in order to mitigate that impact.
Whilst it is insufficient to cite practical difficulties as a reason for non-compliance, evidence of genuine movement towards compliance would be expected to be taken into account by the Information Commissioner in any investigation.
By Nabil Asaad, Commercial Lawyer and GDPR Specialist at Penningtons Manches LLP
About Penningtons Manches LLP: A commercial law firm advising a wide variety of clients but with a particular focus on the education and technology sectors.