Any organisation that is collecting data needs to comply with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), failure to do so can result in very heavy fines issued by the Information Commissioner’s Office (ICO).
Within the data protection legal regime in England and Wales the law provides that individuals (data subjects) have the right to have their data erased. This is know as the Right to Erasure, and is more commonly know as the “Right to be Forgotten”.
GDPR 7 General Principles
The GDPR sets out seven key general principles for the lawful processing of personal data which need to be at the heart of any personal data processing system. The seven general principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
The 7 General Principles are drawn from Article 5 (1) and (2) of the GDPR:
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
5 (2) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Special Category Data
Certain categories of data are considered by the GDPR to be more sensitive, this is know as special category data. Special category data under Article 9 (1) of the GDPR is defined as data relating to:
racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Criminal Offence Data
In a similar way to Special Category data, the GDPR also specifies that criminal offence records must be dealt with in a particular way, and only where there is legal or official authority to do so under Article 10 of the GDPR.
Article 10 states as follows:
Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
Right to Erase – Right to be Forgotten
Under Article 17 of the GDPR, individuals have the right to have personal data erased. The right to erasure (or the right to forgotten as it is often known) is not unlimited and does not apply to all situations and categories of data.
The GDPR states that data controllers must erase personal data, without undue delay, in the following circumstances:
- Your personal data is no longer necessary for the purpose which it was originally collected or processed for;
- You withdraw your consent, where consent was required for your data to be processed;
- There is no overriding legitimate interest to continue processing;
- Where personal data has been processed unlawfully
- Where a legal obligation requires erasure
- Or personal data related to the offer of information society services to a child.
Application of the Right to be Forgotten
The Right to Erasure/to be forgotten does not apply where the processing of personal data is necessary for exercising the right of freedom of expression and information, to comply with obligations carried out in the public interest or official authority, for public health reasons, for the archiving of scientific research, historical research, or statistical purposes, or for the establishment, exercise or defence of legal claims.
The Right to Erasure applies, for example, to the deletion from public aggregators of information, such as Google’s search engine.
We are able to help if you would like to have links to unfavourable news articles or other electronic media, removed from Google’s search index. For more information please visit here: Removing Information from Google’s Index.
The Right to be Forgotten under the GDPR however does not apply to criminal record information held by the police or other bodies entrusted with recording criminal record information, the Right to Erasure and/or Restriction under the Data Protection Act 2018 applies instead.
Criminal Records and the Right to Erasure
The police retain records in a variety of different ways, but the main two types of information are held on either the Police National Computer (PNC) or locally held records. Locally held police records are often backed up to the Police National Database (PND).
The PNC is a record of all arrest records, cautions and convictions issued to data subjects, typically these can only be removed if there is a lawful basis for doing so. In the case of cautions and arrest records these will only be removed because the police have agreed to a deletion, or the High Court has ordered expungement after judicial review proceedings. We have extensive experience of successfully challenging police cautions and arrest records.
Locally held records can be retained by the police relating to investigations where no charges resulted, or where charges were issued, but a prosecution collapsed at court. The police may also retain records in relation to old minor convictions and cautions, such as witness statements, interviews and custody records. The police can justify the retention of these records for law enforcement purposes, which are defined as: for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
These records however can not be kept indiscriminately and depending on the circumstances of the case, a data subject may be able to successfully argue that their locally held police records should be deleted under the right to erasure.
We have significant experience in applying for the deletion of locally held police records under the right to erasure/rectification under the Data Protection Act. Please get in touch if you feel the police are unfairly retaining records against your name.