Skip to main content

The right to erasure and the right to restriction

Contents

At a glance

  • Individuals also have the right to request the deletion or removal of their personal data.
  • Individuals also have a right to ‘block’ or restrict processing of their personal data.

In brief

The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Individuals also have the right to restrict the processing of their personal data.

The Act defines the restriction of processing as the ‘marking of stored personal data with the aim of limiting its processing for the future’.

When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that you respect the restriction in future.

Restriction could involve measures such as transferring data to a separate system, or limiting the access through the use of passwords and other access controls.

What do we need to consider when deciding if the right to erasure applies?

Individuals have a right to have personal data erased or to restrict its processing.

You must erase personal data without undue delay if:

  • the processing of the personal data will infringe the data protection principles;
  • you do not meet safeguards for archiving and processing of sensitive personal data; or

  • you have a legal obligation to erase the data.

We recognise that complete deletion of personal data in electronic systems can often be problematic, but you should ensure that you have adequate systems and storage media in place to comply with an individual’s request for erasure. If deletion is not technically possible, you should at least take steps to put the personal data ‘beyond use’.

What do we need to do to comply with requests for erasure or restriction?

The Act does not specify how to make a request, so an individual can do so verbally or in writing. Therefore, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request as this can help avoid later disputes. We also recommend that you keep a log of verbal requests.

If you have reasonable doubts about the identity of an individual, you can request more information to confirm their identity. You can delay dealing with the request until you receive further information to establish their identity.

Your request for information to verify a requester’s identity should be reasonable and proportionate, taking into consideration the nature of the personal data you hold and your relationship with the individual.

If you have disclosed the personal data in question to third parties, you must inform the third party about the erasure or restriction of the personal data. The third parties will also have to erase or restrict the personal data they hold.

You must tell an individual if you are not going to erase or rectify the personal data they have requested that you amend. You must also inform them of their right to raise a complaint with the Information Commissioner or take the matter to court.

What if the request is manifestly unfounded or excessive?

If requests are manifestly unfounded or excessive, in particular because they are repetitive, you can:

  • charge a reasonable fee taking into account the administrative costs of providing the information; or
  • refuse to respond.

You have to be able to demonstrate how a request is manifestly unfounded or excessive.

How long do we have to comply?

You must respond to the request without delay and at the latest within one calendar month, from the first day after the request was received.

Example

If you receive a request on 30 June the time limit will start on 1 July and the deadline will be 1 August.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond.

For practical purposes if a consistent number of days is required (eg for a computer system), you should adopt a 28-day period to ensure compliance is always within a calendar month.

When should we restrict processing?

You are required to restrict the processing of personal data for the law enforcement purposes in two situations:

  • If you must maintain personal data for the purposes of evidence.
  • If an individual contests the accuracy of personal data but it is not possible to be certain about its accuracy.

If restriction is based on the latter, you should inform the individual before you lift the restriction.

Example

A local authority is investigating a suspect for benefit fraud. As part of this investigation, factually inaccurate personal data about the suspect (such as an age/ethnicity) has been received from a third party. However this inaccurate record needs to be retained as evidence to account for how the local authority first carried out the investigation and the source of this information. They should not erase or rectify this information, but restrict it as it forms evidence against the suspect. They should not process this inaccurate personal data for any other purpose.

When can we limit the provision of information?

If you receive a request for rectification, you must inform the individual in writing whether you have granted the request; and if you have refused, the reasons why, as well as the process for raising a complaint with the Information Commissioner or taking matters to court.

You may limit the provision of information where it is necessary and proportionate to:

  • avoid obstructing an official or legal inquiry, investigation or procedure;
  • avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • protect public security;
  • protect national security; or
  • protect the rights and freedoms of others.

Any restriction you apply needs to be justified as necessary and proportionate. In deciding on proportionality it is important to balance the rights of the data subject against the harm disclosure would cause. You can only limit the information you provide to the extent that it would prejudice the purposes stated above.

There is also an obligation to inform the data subject when this limitation is in place, explaining its existence and the reasons unless providing this information itself undermines the purpose of imposing the restriction. You still need to inform the individual about recourse to the Information Commissioner and the Court process.

You should keep a record of your decisions and provide this reasoning to the Information Commissioner if required.