Table of Contents
Many UK business owners know the importance of data protection compliance. Over the past few years, the General Data Protection Regulation (GDPR) has received significant media attention. Compliance with the GDPR is essential because the Information Commissioner’s Office (ICO) can fine UK businesses up to £17.5m for GDPR violations. This article will explore the danger of ignoring a request for the deletion of data from a staff member. Furthermore, it should clarify the circumstances in which your business can safely reject a request for data deletion.
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is the primary data protection law covering UK businesses. Most UK companies seek to achieve GDPR compliance to reduce the risk of hefty ICO fines (up to £17.5m).
Most media coverage focuses on the obligations imposed by the GDPR on UK businesses concerning data collection and processing. However, the GDPR imposes various obligations on UK businesses, including data security, cyber defences and suitable data deletion.
In this article, we will explore one of the lesser-known scenarios brought to life by the GDPR: data erasure.
What Does Data Erasure Mean?
Data erasure is the act of deleting personal information upon request from the relevant data subject. This is otherwise known as the ‘right to be forgotten’.
However, the GDPR provides a valuable exception to UK businesses when considering whether to erase personal data. It does so by stating that UK organisations only have to erase personal information when it is ‘no longer necessary in relation to the purpose for which it was collected or processed’.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
When Retaining Personal Information Necessary
Naturally, whether personal data retains its original purpose depends on the circumstances in which you collected it and the legitimate interests of your business.
This article will consider the potential scenario of a current employee requesting data deletion. Here, much will depend on the nature of the relevant information. This is because employers usually keep employees’ personal data to ensure they have sufficient information to continue their employment and comply with legal obligations.
The reasoning for needing these records is relatively straightforward. For example, evidence of a start date is necessary to calculate any future redundancy pay. Likewise, the HMRC compels you to retain payslip records. Additionally, you must keep health records to ensure the company discharges its duty of care.
So whilst an individual can request data erasure under the UK GDPR, it is not an absolute right but subject to any overriding legitimate interest.
When is Staff Personal Information No Longer Necessary?
There are limited situations in which an existing staff member can ask your company to erase pieces of personal information. Examples of this may include:
- out-of-date home addresses;
- old personal email addresses; and
- inaccurate emergency contact information.
For instance, an employee going through a divorce may move house, want to remove their spouse as emergency contact and switch from any joint email address. This would be reasonable if they provided more up-to-date information, as the previous details would no longer be necessary.
Is the Situation Different With a Former Staff Member?
Your business may have more leeway to delete personal information relating to previous staff members than current ones. However, your company should retain particular information following an employee’s departure. For example, most businesses will keep information about workplace injuries for at least six years (to guard against personal injury time limits).
Key Takeaways
Your company should ensure that it only deletes staff information when necessary. If a staff member asks for the deletion of personal data but it remains accurate and necessary, your company should refuse.
The main circumstance in which your business is likely to be able to delete the personal data of an existing staff member safely is when it is out-of-date. For this reason, most companies will seek expert legal advice when handling a formal data erasure request.
If you need help ensuring the safe erasure of staff information, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
This is a common question because the GDPR derives from European Union law. However, the UK Government has clarified that it intends to retain the GDPR despite the UK’s removal from European Court jurisdiction.
Slightly bizarrely, the reason for the data erasure request is irrelevant in the ICO’s eyes. Instead, it is a matter of running through the ‘necessary’ test and only retaining information if necessary.
We appreciate your feedback – your submission has been successfully received.