Comment It’s probably a given that – with the European Union’s GDPR now weeks away – you’re sick to the back teeth of hearing, reading and talking about data protection.
And then comes the Windrush scandal in which the UK government apparently destroyed the landing records for thousands of citizens from Caribbean nations who arrived in Britain after the Second World War.
Of course, it makes perfect sense to destroy documentation when it’s no longer required: in fact, not only does it make sense, you’re obliged to do so – as per the ICO principles.
Reading the principles, however, you can see that how long you retain data is about as long as a piece of string.
Arguably, the subject at the heart of this debate is data retention.
Having swum the waters of data regulation and protection, I was intrigued by all of this – about what might, and should, have happened. In my day job, I advise corporate officers who ask me about data retention. I say they need a data retention and disposal policy – and I emphasise “and disposal” because that’s the bit most people never quite get round to. If we believe the Home Office, that’s where it got burned: on the disposal part.
I tell people to check what the law requires them to keep. Then I tell them to check any contractual requirements and industry best practice – and to sanity-check it to make sure it sounds reasonable, because some so-called “best practice” seems excessively lenient to me and they should perhaps hang on to stuff for less time. The result should be a policy that keeps data for only as long as: (a) the law/regulator/contract says you must; or (b) you can justify for some “other” reason.
Regardless of how, or what, you think of the Home Secretary at that time in 2010 (the British prime minister Theresa May herself), a minister or high-ranking civil servant overseeing the Windrush files should never have had to sign off on any data disposal. Good data administration policy should have been in place and meant it was part of a run-of-the-mill activity done once a month, or maybe once a quarter, without the need for upward reference.
It would be more appropriate for them to have to sign off on making an exception to the policy and retaining data rather than dumping it.
Which brings us to this: The Guardian quotes an unnamed former employee who claims the decision to destroy the records was taken in 2010, when the Home Office’s Whitgift Centre in Croydon was closed and staff moved to another site.
The Home Office acknowledged to the paper that the UK Border Agency had chosen in 2010 to “securely dispose of some documents known as registration slips.” It argued it had done this on data protection grounds, “to ensure that personal data … should not be kept for longer than necessary”.
Now, I’ve written a lot of information security policies in my time. Some of them talk – quite reasonably, I think – about how to decommission IT kit securely when you close an office. I don’t recall writing: “Chuck out any old documentation you find if it looks old and pointless or the dust is more than three-eighths-of-an-inch thick.” Neither do I know of any clause in either the existing data-protection law or the new GDPR that demands arbitrary binning of personal data.
And if you’re thinking that the words “justify for some other reason” that I used earlier were a bit vague, you’re right. Let’s look at the reason that matters.
Why hang onto it?
You should hang on to data for only as long as you can justify doing so. Which means as long as you could reasonably expect to need it… plus maybe a few months as the physical disposal process can sometimes take a while.
Could it be said that the Windrush data was no longer “needed”? In hindsight, no. How long could the Home Office have justified keeping the data? Well, the ICO would be hard-pressed to complain if you chose, say, 75 years, because you could claim it might be needed by someone claiming British citizenship through their parent or grandparent.
The ICO sets out conditions not just for holding and disposing data but also for the need to process personal data. Under what grounds could you process this particular data – and therefore have grounds to retain it? You can read the conditions for processing here. Among them: “Processing is necessary for administering justice, or for exercising statutory, governmental or other public functions.”
But what about the future? GDPR comes into force in May. Would that have changed the rules and principles of data collection, possession and protection? If you properly comply with current law, little will change. Much of the change is in access and deletion requests, notifications and protection, data protection and permission, and the “right” procedures, policies and actions you put in place to support all of these.
As for actual data processing, Article 6 provides for the lawful processing of data where “processing is necessary in order to protect the vital interests of the data subject or of another natural person”.
Documentation that provides the solitary means of proving someone’s immigration status sounds like a vital interest to me, so there should be no problem keeping such records.
GDPR also grants another scope for lawful processing of data – under Article 89. That is, “processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”.
It would seem to me, then, there is no justification under current or even planned data protection law for the actions of the Home Office.
So is this the end of the sorry chapter in data retention, protection and disposal? Most likely not. The UK’s public bodies have a reputation for mislaying and generally failing to protect sensitive documents on a grand scale.
It’s more than likely the next instalment will come when somebody walking their dog stumbles across the shredded Windrush documents blowing around in a skip somewhere. ®