The right to be forgotten
Discussion
Does anyone know how this rule applies to things like IT backup tapes?
In a proper records management environment, complete backups should only be kept for as long as is required to allow recovery from a complete IT systems failure. I think 2 weeks is the accepted duration. Aside from this, the only things that should be retained long term are actual "records" - e.g. financial information etc. As most businesses cannot be bothered to work out what constitutes the records that they are legally obliged to retain, they tend to make it an IT problem and have IT retain complete system backups for 3, 7 or even 20 years. At least this is how things were when I was last working in that type of environment - things may have moved on since then.
I know that my personal data is held and processed by afirm of lawyers debt collection agency with extremely dubious business practices and I have managed to prove that the "debt" they were chasing me for never actually existed in the first place. They have been chasing me for about 10 months. Can I insist that my personal details are removed from all of their systems including IT backups. They have a month to comply, so that should take care of the IT systems failure aspect. This isn't something I plan on losing any sleep over or starting some kind of crusade about - at this point I am merely interested in the legalities / practicalities of such a request.
In a proper records management environment, complete backups should only be kept for as long as is required to allow recovery from a complete IT systems failure. I think 2 weeks is the accepted duration. Aside from this, the only things that should be retained long term are actual "records" - e.g. financial information etc. As most businesses cannot be bothered to work out what constitutes the records that they are legally obliged to retain, they tend to make it an IT problem and have IT retain complete system backups for 3, 7 or even 20 years. At least this is how things were when I was last working in that type of environment - things may have moved on since then.
I know that my personal data is held and processed by a
Data Stored on backup devices gets over written with more recent back up that’s how it works well that’s how it works in the Life and Pensions industry.
In the world of L&P and the daily application of thousands of transaction each day a full database back is fairly redundant in a matter of days and thus the data the can be overwritten.
Whilst this may been seen as an IT problem, in my experience of working with some of major financial services , solutions that have legal implications are approved by the institutions compliance team.
As to what you can do about ensuring that it’s done, I think the governing body is the ICO,(Information Commissioners Office) under the data protection act so you can report the debt collection agency to them. The Ico have imposed hefty fine on those breaching the regulations.
https://ico.org.uk/
In the world of L&P and the daily application of thousands of transaction each day a full database back is fairly redundant in a matter of days and thus the data the can be overwritten.
Whilst this may been seen as an IT problem, in my experience of working with some of major financial services , solutions that have legal implications are approved by the institutions compliance team.
As to what you can do about ensuring that it’s done, I think the governing body is the ICO,(Information Commissioners Office) under the data protection act so you can report the debt collection agency to them. The Ico have imposed hefty fine on those breaching the regulations.
https://ico.org.uk/
Bit of info on this here.
https://ico.org.uk/for-organisations/uk-gdpr-guida...
Seems to be more about taking steps to put the data beyond use v insisting someone goes through every tape or hard drive etc.
https://ico.org.uk/for-organisations/uk-gdpr-guida...
Seems to be more about taking steps to put the data beyond use v insisting someone goes through every tape or hard drive etc.
When I worked in an engineering company it was required to keep data for 30 years or more on some projects. Effectively we kept our long-term backups forever although they would be re-written onto fresh tapes every few years to prevent data loss and ensure we still had hardware to read them. Removing specific files from every long-term backup would have been very difficult.
With a debt collection agency you have two chances of getting them to delete your data; a snowball’s in hell, and none at all, sadly.
I’ve had my fair share of experience with being chased for a bad debt in my less well-behaved youth.
Your best bet is to ignore them completely - never engage, as engaging can be argued in court to be accepting the debt exists, which can restart the 6-year clock after a debt is considered “statute barred”. If you’re not familiar with that debt, a quick Google may offer some reassurance - generally after six years most DCAs stop chasing as their chances of recovery fall sharply once the threat of recovery via the courts is no longer possible.
Good luck!
A
I’ve had my fair share of experience with being chased for a bad debt in my less well-behaved youth.
Your best bet is to ignore them completely - never engage, as engaging can be argued in court to be accepting the debt exists, which can restart the 6-year clock after a debt is considered “statute barred”. If you’re not familiar with that debt, a quick Google may offer some reassurance - generally after six years most DCAs stop chasing as their chances of recovery fall sharply once the threat of recovery via the courts is no longer possible.
Good luck!
A
The problem you may have is that irrespective of your request, they are entitled to retain the information if they actually need it. When I was the DPO for a very large organisation we would always retain all information for upto 7 years as we may have needed it to defend against legal action
I haven't quoted any specific posts as many of them are saying the same thing - but the point that I was trying to make is that records retention and retaining full system backups are a long way from being the same thing. Businesses absolutely need to retain records to remain compliant with various laws, but they have absolutely no requirement to retain full system backups beyond a period of approximately 2 weeks. However, most businesses (in my experience) cannot be bothered to identify what records actually need to be retained, and therefore retain full system backups instead.
My question is whether or not this falls foul of the right to be forgotten legislation, and whether I can request that my details are also erased from all full system backups that have been retained for over 1 month. I realise that in most cases this would be an impossible task, but as someone mentioned, that isn't actually my problem.
I guess I'll issue them with a notice that I would like to be forgotten, set out my specific requirements as part of that and then see how they respond. They really are a very unpleasant organisation, and I suspect that they will just totally ignore my specific requirements and try to fob me off with some generic response. I may or may not have the enthusiasm and energy to respond appropriately.
Also - to the one poster - these people have been chasing me with zero justification. I don't owe anyone any money and I never have. My goal is to get them to remove every single detail they have about me from every single system that they have - apart from where they can justify having it. For every instance where they say they have a right to retain the information, I want them to justify that.
My question is whether or not this falls foul of the right to be forgotten legislation, and whether I can request that my details are also erased from all full system backups that have been retained for over 1 month. I realise that in most cases this would be an impossible task, but as someone mentioned, that isn't actually my problem.
I guess I'll issue them with a notice that I would like to be forgotten, set out my specific requirements as part of that and then see how they respond. They really are a very unpleasant organisation, and I suspect that they will just totally ignore my specific requirements and try to fob me off with some generic response. I may or may not have the enthusiasm and energy to respond appropriately.
Also - to the one poster - these people have been chasing me with zero justification. I don't owe anyone any money and I never have. My goal is to get them to remove every single detail they have about me from every single system that they have - apart from where they can justify having it. For every instance where they say they have a right to retain the information, I want them to justify that.
Yes, records relating to financial transactions etc. Health records can be far longer if the company is directly responsible for exposing employees to specific risk factors (e.g. asbestos). But the chap above said as DPO he would keep all information for seven years, which is insanity, and not proportionate.
If the OP has established that the debt is not his, and this has been accepted by the company then he could request deletion. However, the company will argue they will want to retain due to legitimate interests. This will start a long back and forth, because if it was a case of mistaken identity, or an invalid debt then they really don't have a legitimate interest, but they will refuse to accept this. There is no statutory period if he is not a customer. Though, you may have to go back to the company who instructed the debt collectors and get them to instruct the collection agency to delete data, as they are ultimately responsible for how your data was used as the collector and controller.
If the OP has established that the debt is not his, and this has been accepted by the company then he could request deletion. However, the company will argue they will want to retain due to legitimate interests. This will start a long back and forth, because if it was a case of mistaken identity, or an invalid debt then they really don't have a legitimate interest, but they will refuse to accept this. There is no statutory period if he is not a customer. Though, you may have to go back to the company who instructed the debt collectors and get them to instruct the collection agency to delete data, as they are ultimately responsible for how your data was used as the collector and controller.
omniflow said:
Also - to the one poster - these people have been chasing me with zero justification. I don't owe anyone any money and I never have. My goal is to get them to remove every single detail they have about me from every single system that they have - apart from where they can justify having it. For every instance where they say they have a right to retain the information, I want them to justify that.
In that case, you need to ask the controller - who gave them your information in the first place, to request deletion from the processor. This will be more effective than going direct to the collection agency. Then once this deletion is confirmed, you can evidence it through a SAR a few months later. In theory they should find nothing. The tapes thing is interesting as in reality they will be unlikely to store a database in physical media, rather multiple incremental digital backups, which will likely be overwritten with reasonable frequency. This frequency is probably greater than the speed it will take to comply with and evidence your right to deletion.
I understand your request… however what happens in the instance where someone gets every record of interaction with a company removed, but there is a reason like a change of heart, a decision to bring legal action, legal liability investigation of some some sort, police investigation etc. one size can’t fit all. Whether this is considered in the legislation or has been tested court, I’ve no idea.
I know from my times as a system admin that two weeks would have been nowhere near long enough to satisfy the business. There is probably an item in the T&Cs in whatever contract you had with them, that states data will be retained. Again whether that is superseded by other law I don’t know.
I know from my times as a system admin that two weeks would have been nowhere near long enough to satisfy the business. There is probably an item in the T&Cs in whatever contract you had with them, that states data will be retained. Again whether that is superseded by other law I don’t know.
abzmike said:
I understand your request… however what happens in the instance where someone gets every record of interaction with a company removed, but there is a reason like a change of heart, a decision to bring legal action, legal liability investigation of some some sort, police investigation etc. one size can’t fit all. Whether this is considered in the legislation or has been tested court, I’ve no idea.
I know from my times as a system admin that two weeks would have been nowhere near long enough to satisfy the business. There is probably an item in the T&Cs in whatever contract you had with them, that states data will be retained. Again whether that is superseded by other law I don’t know.
I think this post gets to the heart of my question - paraphrasing - "as a Sysadmin - 2 weeks would not be long enough to satisfy the business" - is that the business making records retention an IT problem, or is it a genuine requirement from the business?I know from my times as a system admin that two weeks would have been nowhere near long enough to satisfy the business. There is probably an item in the T&Cs in whatever contract you had with them, that states data will be retained. Again whether that is superseded by other law I don’t know.
In 2023, in my opinion, any reputable business should have the capability of deleting all of the information about an individual without impacting the requirements of the IT department to be able to recover from a hardware failure, data corruption or similar. I suspect that this is not the case for the majority of businesses, and the right to be forgotten is something that will be poorly implemented. However, I was keen to see if anyone had any first hand knowledge of it being implemented correctly, or of a business being penalised because they had failed to implement such a request correctly.
BTW - I never had a contract with this organisation.
omniflow said:
I think this post gets to the heart of my question - paraphrasing - "as a Sysadmin - 2 weeks would not be long enough to satisfy the business" - is that the business making records retention an IT problem, or is it a genuine requirement from the business?
In 2023, in my opinion, any reputable business should have the capability of deleting all of the information about an individual without impacting the requirements of the IT department to be able to recover from a hardware failure, data corruption or similar. I suspect that this is not the case for the majority of businesses, and the right to be forgotten is something that will be poorly implemented. However, I was keen to see if anyone had any first hand knowledge of it being implemented correctly, or of a business being penalised because they had failed to implement such a request correctly.
BTW - I never had a contract with this organisation.
Is your opinion based on technical knowledge or something else? I'd be super surprised to see any tech that would go back through archived information on backups and delete information relating to one individual.In 2023, in my opinion, any reputable business should have the capability of deleting all of the information about an individual without impacting the requirements of the IT department to be able to recover from a hardware failure, data corruption or similar. I suspect that this is not the case for the majority of businesses, and the right to be forgotten is something that will be poorly implemented. However, I was keen to see if anyone had any first hand knowledge of it being implemented correctly, or of a business being penalised because they had failed to implement such a request correctly.
BTW - I never had a contract with this organisation.
BertBert said:
omniflow said:
I think this post gets to the heart of my question - paraphrasing - "as a Sysadmin - 2 weeks would not be long enough to satisfy the business" - is that the business making records retention an IT problem, or is it a genuine requirement from the business?
In 2023, in my opinion, any reputable business should have the capability of deleting all of the information about an individual without impacting the requirements of the IT department to be able to recover from a hardware failure, data corruption or similar. I suspect that this is not the case for the majority of businesses, and the right to be forgotten is something that will be poorly implemented. However, I was keen to see if anyone had any first hand knowledge of it being implemented correctly, or of a business being penalised because they had failed to implement such a request correctly.
BTW - I never had a contract with this organisation.
Is your opinion based on technical knowledge or something else? I'd be super surprised to see any tech that would go back through archived information on backups and delete information relating to one individual.In 2023, in my opinion, any reputable business should have the capability of deleting all of the information about an individual without impacting the requirements of the IT department to be able to recover from a hardware failure, data corruption or similar. I suspect that this is not the case for the majority of businesses, and the right to be forgotten is something that will be poorly implemented. However, I was keen to see if anyone had any first hand knowledge of it being implemented correctly, or of a business being penalised because they had failed to implement such a request correctly.
BTW - I never had a contract with this organisation.
Before anyone else asks I have 40 years of experience of software development in the financial services industry.
From OmniFlow above
In 2023, in my opinion, any reputable business should have the capability of deleting all of the information about an individual without impacting the requirements of the IT department to be able to recover from a hardware failure, data corruption or similar.
Whilst the IT department may have some technical requirements it is there to support the needs of the business. A business can exist without support of any IT but not the other way around.
As for beaches of the regulations and fines, the top seven are
1. British Airways - £20m fine (2020)
2. Marriott Hotels - £18.4m fine (2020)
3. TikTok - £12.7m (2023)
4. Clearview AI - £7.5m fine (2022)
5. Ticketmaster - £1.25m fine (2018)
6. Cabinet Office - £500k fine (2021)
7. Doorstep Dispensaree Ltd. (Pharmacy) - £275k fine (2019)
From the ICO's website
Your right to get your data deleted
https://ico.org.uk/for-the-public/your-right-to-ge...
Make a complaint
https://ico.org.uk/make-a-complaint/
Your right to get your data deleted
https://ico.org.uk/for-the-public/your-right-to-ge...
Make a complaint
https://ico.org.uk/make-a-complaint/
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff