Mills & Reeve logo in purple text with a purple tagline: Achieve more. Together.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Client extranet portal

Staff

Mills & Reeve system for employees.

Staff Login
13 Oct 2020
3 minutes read

Keeping a sense of proportion in data retention

The case demonstrates that disproportionate retention policies can be just as serious as wrongful disclosure or breach of security.

Concerns raised, and then dropped

In December 2015, an online tutor raised concerns about the individual’s alleged behaviour with the Department for Education. In line with the Government’s Prevent Strategy (a strategy to stop people becoming terrorists or supporting terrorism), the matter was passed to the Metropolitan Police. The online tutor raised the following concerns:

  • he talks about America being evil;
  • he is obsessed with killing the UK Prime Minister;
  • he likes Game of Thrones because of the beheadings;
  • he changed his email address to @ISbeards; and
  • he has lost interest in his school work.

Officers visited the individual’s mother who refuted all of these concerns. His former and current school were also contacted - neither expressed any issues. In their view he was interested in school and doing well. Eventually police concluded that the referral was probably misinformed, and the matter was dropped.

A complaint

The individual later challenged the ongoing retention of the information from this referral. He argued that the retention was unlawful because it breached:

  • his right to privacy under the European Convention on Human Rights (ECHR) and
  • the data protection principles set out in the Data Protection Act 2018 (the DPA) that processing must be fair and lawful; adequate, relevant and not excessive in relation to the purpose for which it is processed; and retained for no longer than necessary.

He was particularly concerned that the police file could affect his university applications.

The Metropolitan Police felt that retention of the file for six years under the law enforcement provisions of the DPA was necessary. Ongoing monitoring was needed as radicalisation was a process that took place over time. They maintained that there would be no disclosure to other bodies, like universities.

Keeping the file was not necessary

The court supported the complaint. Most of the allegations raised by the online tutor had turned out to be untrue or misinformed, so the individual was not being radicalised or vulnerable to radicalisation. The judge said that this did not automatically mean that the information should have been deleted when the case closed. But was continued retention now appropriate? Nearly five years had passed with no further concerns raised. There was no reason, or policing purpose, to continue to hold the information.

Although external disclosure was unlikely, the information was held on ten databases accessible to local and national police officers, Home Office staff and local authorities. Some of this information was about religious and political opinions (even if they were untrue) and so involved sensitive data processing. Continued retention of the data, including the sensitive data, was no longer necessary.

Overall, continued retention of the data would be a disproportionate interference with the individual’s right to privacy, in ECHR Article 8. In addition, the data protection principles on fairness/lawfulness and retention were breached.

Take away points

This was a law enforcement case, where the rules are slightly different. However, there are wider implications. Data protection law requires businesses to have a proactive approach to personal data processing. Although the Metropolitan Police had a review method in place to allow a person to challenge the processing of their personal data, they (as any organisation) should not wait for a complaint and should actively remove unnecessary information.

Organisations should avoid blanket retention policies. Each database you have will house different kinds of data. Over time, the data may lose any importance it previously had or could become more significant.

Organisations should assess old data from customer orders, complaints, employment records, etc and consider whether retention is still appropriate. Looking at the length of time that has passed since the last contact compared to what occurs in your usual business activity is a good way to start.

Having a good data retention policy will also help to ensure that the data you hold is accurate, and is likely to reduce the impact of any security breach.

 

Find out more about our data protection and technology services.