What is your right to be forgotten?
Had enough of old news or past deeds you’d rather not revisit coming up every time your name is typed into a search engine? Is it hurting your reputation or job prospects?
We have all heard about the right to be forgotten, especially through media reports about the European Court of Justice allowing unhappy people a new right to try and erase aspects of their past. But what exactly can you do to achieve the removal of personal information you do not want others to see or to control?
The likes of Google now have a well tested means for people to request the deleting of links to their name. This does not delete the web material because it is owned or controlled elsewhere on the web, it serves to prevent searches within the EU finding it.
But what about actually erasing the information? At the present time it is not at all simple for those in the UK because the Data Protection Act 1998 (DPA) permits removal only where you show that personal data held in the UK by others is causing damage or distress. That is designed to be a hurdle to the more trivial and will not hinder clear cases of serious harm. You may also have other legal pathways to suppress publication or to recover the data lying outside of the DPA such as harassment, breach of confidence, copyright or malicious falsehood. Rix & Kay can advise you on all of these options.
The changes that will be brought about in May 2018 as the UK amends laws so as to become compatible with the EU General Data Protection Regulations (GDPR) will significantly improve your right to have data removed by doing away with the old test and simply requiring that you show (1) it is no longer relevant, (2) is excessive for the legitimate purposes of the data controller, or (3) is unnecessary to be retained.
Aside from credit reference scores and the like which we largely understand, many aspects of our lives are now affected by processing of personal data that we do not generally appreciate such as company analysis of shopping & leisure habits, news feeds, social media suggested feeds and the growth of targeted online pay-per-click marketing.
But what is personal data? The full answer would fill many pages but can be distilled to being information recorded and stored that is not just the basics to identify you like your name, address, date of birth, race and contact details but now brings in many other forms of identifying you or relating to your life that could impact upon you and inform or influence actions or decisions of others affecting you. This includes social media/medical/employment/financial/criminal records, your online IP address and internet history, shopping habits or lifestyle preferences, your location and movements, an image taken of you on CCTV and biometric details like your fingerprints and your voice. If it is gathered to relate or monitor you as an individual then it is personal data. A note of caution however is that it must be matters of fact, so that involving opinion about you, even if you fundamentally disagree with it, is not covered.
So your rights to restrict future processing, to rectify errors and even to object to personal data being held at all are going to get stronger. Before any of this is even possible you probably want to know what data is held about you. This right to be informed is via the Subject Access Request which have been around for some time. Again, they be enhanced from May 2018 under the changes coming to implement the GDPR.
By putting a request in writing and paying £10 you can see what an organisation or other data processor holds about you. Subject to perhaps checking your identity and considering any legal privilege, they must supply the data and do so promptly. Whilst the providers of employment references are able to claim a statutory right to keep the contents confidential (DPA paragraph 1 of Schedule 7), you might not know that the recipient of that reference has no such exemption and so must disclose.
For those reading this who record and process personal data, it is high time you process and store data responsibly as the consequences are about to get a whole lot worse for you if you do not.
If you wish to take advice on any aspect of data protection, the use of sensitive information or any harm suffered to your reputation, please contact Dan Sherlock on 01732 440 855 or email email@example.com