THE FIFTH DATA PROTECTION PRINCIPLE

The fifth data protection principle says:

Like the third data protection principle the fifth data protection principle is not supported by any interpretation, but this should not cause too many difficulties as it is self-evident that it requires the data controller to delete, destroy or ‘anonymize’ personal data at the completion of the processing purpose. The correlation of this is that all information that is held by the data controller must be justified against a particular purpose, either one that has been specified pursuant to the second data protection principle or a subsequent purpose that is not incompatible with the one specified.

The deletion of personal data can be effected by merely deleting the personal identifiers, a process known as ‘anonymization’. This is because once all personal identifiers are removed the information ceases to identify an individual and therefore it ceases to be personal data. Anonymization is recognized by the Data Protection Directive as a valid response to the prohibition against keeping data for longer than is necessary.

Data controllers who process electronic data need to ensure that the data are properly deleted when the processing purpose is complete, because very often all a delete function does to active electronic data is to remove the reference to it in the tables that the computer searches against. To properly delete an active electronic file a process colloquially known as ‘electronic shredding’ needs to be followed, which involves the repeated overwriting of the file to be shredded with new binary code. An equally problematic issue for electronic data is the deletion of backup data. The data controller who successfully manages to delete active data may still find itself in breach of the fifth data protection principle for neglecting to put in place procedures for the deletion of backup data. Finally, there is the issue of electronic data proliferation, where the same piece of electronic data comes to be stored in various places at the same time. In addition to official backups, electronic data may be copied from central servers to remote PCs, to portable storage media and to mobile devices, such as PDAs (personal digital assistants), mobile telephones and music players. The data controller’s compliance strategy needs to bear this in mind.

Cases on the fifth data protection principle

The most significant case on the fifth data protection principle also addresses the third data protection principle: The Chief Constables of West Yorkshire, South Yorkshire and North Wales Police v. The Information Commissioner,¹⁰⁴ a consolidated appeal from the service of three enforcement notices by the Information Commissioner. These enforcement notices all concerned the disclosure of very old conviction data held by the police on the UK Police National Computer, which the Information Commissioner considered should be deleted. In summary, the Information Tribunal considered that the long-term retention of conviction data by the police does not contravene the third or fifth data protection principles, although it does engage Article 8 of the ECHR. However, there is a distinction between police use of retained data and disclosure to third parties and in each of the cases under appeal the Tribunal directed that the data could be retained, but for police access only. It is worth noting that none of the convictions under review were for indecency, or mistreatment of the vulnerable or for serious violence. Apart from one conviction for assault occasioning actual bodily harm, all of the offences were to do with petty theft or were motoring offences.