It's all in the nameMore
The Windrush debacle has highlighted the need to retain and allow access to certain records. By contrast, the General Data Protection Regulation (GDPR) that comes into force on the 25th of May 2018, stresses the importance of holding data for as long as it is relevant to the purpose it was first collected (data retention). These two current news stories have significant implications which are in complete contrast to each other.
One infers that it is safer for data to have a shorter shelf life, whilst the other highlights the importance of holding onto important information and documents. Neil Fraser, Partner of Fraser and Fraser asks the question; is GDPR fit for purpose or should data never be deleted?
GDPR aims to protect EU citizens with a unified approach to data protection and privacy; increasing the transparency of data that is collected and stored, and making Data Controllers, (those holding and storing data) accountable. Those who fail to do so, face a maximum 4% of global turnover fine, but what these new changes essentially mean is that older data will be destroyed.
The cost of digital storage is reducing all the time and technological advances mean that the compression and encryption of that data is incredibly safe and easy. It may have been wise for GDPR planning to work alongside the technology sector from the outset. Instead, European civil servants and bureaucrats have created rules that will result in the destruction of vital records and information that cannot be recovered which may create further scandals and increase the potential for miscarriages of justice.
There are exceptions to the GDPR regulations that will affect most of the data held by the Home Office; these mainly concern the transparency of the data records, held on an individual and how easily accessible those records are to that individual. The exceptions do not cover data that has been collected for one purpose and is now relevant for an entirely different purpose; specifically if that data is held by another organisation; a perfect example of this being the recent Windrush scandal. The Home Office is using the existing 1998 Data Protection Act (specifically, he fourth and fifth principles) as the reason
landing cards of thousands of immigrants from the 1950’s and 1960’s needed to be destroyed. This, coupled with the changes in immigration law in 2014, has caused the current problem.
GDPR goes further than data protection and would, for example, affect even the humble phone book. A staple delivered to millions of homes over the years which could help prove an individual’s residence, must now have a shelf life. According to GDPR rules, anyone simply discarding the phone book in a bin after May 25th would be in breach of new regulations!
So is GDPR fit for purpose? Well, ultimately yes as it does exactly what it aims to do – protects the individual and enforces data controllers to take responsibility across the whole of the EU. The question data retention and the interpretation when considering a retention policy. I for one, do not believe in the destruction of data when technology can solve the problem.
Presently, it seems there is a rush to destroy old documents under the guise of GDPR, when in fact there are clauses that mean data can still be stored, provided it is protected and known about. GDPR allows the lawful processing of data according to Article 89; which permits ‘processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’; Holding immigration data clearly is in the public interest. Additionally, there is cope for data to be retained if it can be justified for “some other reason”, the vagueness of this description leaves it open to different interpretations which could stop the destruction of vital records.
Ultimately, as long as data is protected, there is no need to erase it; however, poor understanding and ambiguous drafting of data retention policies could make the Windrush debacle the tip of the iceberg.