: Am I legally required to remove all data associated with a customer (UK)? A customer has asked that we remove all our stored information from our database. From a moral standpoint, we have

@Cugini213

You're not allowed to keep any data that you don't have a justifiable reason to keep, whether the user asks you to remove it or not. So if a user asks you to remove the data, you need to have a good reason for refusing.

Personally identifiable information includes anything which could be used to work out who a specific person is from the collection of the data. The obvious ones are:


name
phone number
credit card number
address
email address


but there are more. It depends on your business as to what kind of data you have.

So if you want to keep a user's name, you need to have a reason. You can say it's convenience for the user - they don't need to keep typing it in every time they come back to the site. However, if the user tells you they don't want that convenience, then either you need another good reason, or you have to remove it.

My normal recommendation is to split your databases by their job. Have a personal profile database, an orders database, and a reporting database.


If a user asks you to remove all personal information, you can delete their account from the profile database.
The orders database keeps the minimum information required for tax records.
In your reporting database anonymise everything. For example, I doubt you report on sales by first name - so just remove that data. For postcodes, just keep the regional part.


Typically, holding onto the data when a user requests you to remove it is more hassle than it's worth, especially if you get reported to the ICO who then come sniffing around. You could win the argument but at a huge cost.

Vote Up Vote Down

@Shanna517

According to the Data Protection Act 1998 they do. The exceptions are data used for national security, the detection of crime, and taxation purposes.

Edit:

The referenced Principle 6 actually doesn't cover the removal of data on the subject's request. However, this contingency is addressed in the Conditions for Processing, as in:


Consent must also be appropriate to the age and capacity of the
individual and to the particular circumstances of the case. For
example, if your organisation intends to continue to hold or use
personal data after the relationship with the individual ends, then
the consent should cover this. Even when consent has been given, it
will not necessarily last forever. Although in most cases consent will
last for as long as the processing to which it relates continues, you
should recognise that the individual may be able to withdraw consent,
depending on the nature of the consent given and the circumstances in
which you are collecting or using the information. Withdrawing consent
does not affect the validity of anything already done on the
understanding that consent had been given.


So the law isn't terribly clear about the exact nature of the consent required (beyond explicit communication of consent, or that non-communication doesn't imply consent). My interpretation of the text is that, if you don't have at the very least a very visible and agreed upon privacy policy stating that the PII will be held indefinitely, then the customer has the right to withdraw consent after the completion of the original transaction they provided the PII for and/or their relationship with your company has ended.

Now, if you can prove that the continued retention of the PII is needed for some other reasonable purpose, you might still be able to retain the PII. But for most forms of reporting, there's really no need for PII to be kept. It becomes more of a liability than an asset. You can generally anonymize the data and still be able to do aggregate analysis. E.g. there's no need for personally identifiable info to be retained to determine what percentage of orders of what type are coming from which provinces/cities or track purchasing trends, etc.

And if you're retaining the PII as leads for follow-up sales, it's unlikely they'll be useful if they're mad at you for not removing their PII from your databases as they requested.

Vote Up Vote Down