Junior Darrell | Get the data right, then get rid of it

PREVIOUS ARTICLES published by The Gleaner have covered the first, second and third of the eight standards of data protection. This column now looks at the fourth and fifth standards, regarding the accuracy of personal data and the rules that speak to deleting it.

In the fourth standard, the Data Protection Act (DPA) requires controllers to ensure that the personal data they hold is accurate. This goes beyond simply expecting them to ensure that what they have recorded matches what they were told; they must take ‘reasonable steps’ to ensure accuracy. As always, ‘reasonable’ is a word open to interpretation and will depend on the importance of the data and the risks presented to the data subject from inaccuracy. More will be expected of a bank than might be of a hairdresser, but all controllers need to think about the possible consequences of inaccuracy and take appropriate steps.

One thing to remember is that compliance with the fourth standard is a legal obligation. This means that processing data controllers may undertake to ensure accuracy, provided it is limited to that purpose, can be justified on that basis. Understand, for instance, that the DPA enables them to combine data from different sources within their organisation if the intention is to ensure accuracy – or indeed, adequacy and relevance, their third standard obligations.

DISAGREEMENTS ABOUT ACCURACY

The fourth standard also has a sting in the tail. If a data subject disagrees with a data controller about the accuracy of their data, the controller is permitted to stick to their guns, but they must be able to note the disagreement as part of the personal data. Many systems make no provision for recording this dissenting opinion; in practice, therefore, this requirement can be difficult to meet. As this is not a globally consistent provision – it’s not a part of the equivalent Article 16 of the European Union’s General Data Protection Regulation, for instance – it’s not a certainty that commonly used software will be updated to accommodate it. Clarity on this is required from the local Office of the Information Commissioner.

The fifth standard is one of the real challenges in data protection – the requirement to delete data when it is no longer needed. It is important to understand that no data protection law, anywhere in the world, includes any specification of retention periods. It always falls to the controller to decide, and it is always dependent on the context and the nature of the data.

CONSIDERATIONS FOR DELETING DATA

Here are three things to think about in this context:

1. As with much of data protection, the fifth standard is about necessity. One needs to demonstrate that they need to keep the data. This might be because of a legal requirement, or because it demonstrably benefits the data subject, or because they can show that it benefits them. In all cases, their retention of data is open to challenge, so they need to be sure they have properly considered it and not simply defaulted either to keeping everything forever or to some imagined standard retention period like seven years (the most common number across data protection regulations).

2. It’s important to think in a granular way. Data is not monolithic. It’s made up of many individual pieces. Even when there is a need to keep some data for extended periods, all of it may not need to be kept. Consider a payroll record: employers will have a legal obligation to retain payroll information for departed employees for a mandatory period after the tax year in which they leave. But while they will need their identifying information, their TRN and the details of payments made and tax withheld, they no longer need their bank details once they’ve received their last pay packet. So, their systems need to permit them to remove that unnecessary data as soon as practical, and their processes need to mandate that they do so.

3. Data protection law applies to paper records, as well as digital. All of those archive boxes in the basement are as much in scope as computer systems. This doesn’t just mean the fifth standard. It means all of them and the data subject rights to be covered in a later column. In turn, that means, for example, that if a controller keeps piles of ancient paper, they have a legal duty to keep them safe from damage: if their records are eaten by rats, they breach both the fourth and seventh standards. If they take the bold decision to destroy unneeded paper records, they not only save the storage cost, but reduce their risk of non-compliance.

It’s also important for data controllers to be aware that how they delete data (or destroy paper) can have a significant impact on data subjects. Controllers, therefore, need to ensure that their systems and destruction methods meet international best practice and do not give rise to additional risk exposure for the organisation and data subjects alike.

Junior Darrell is an experienced business leader and head of commercial operations of Securys Limited, a global data protection firm, with offices in the United Kingdom and Jamaica, serving clients in over 60 countries. Email: info@securys.com.jm. Send feedback to columns@gleanerjm.com.