This procedure has been developed to enable effective responses to requests to realise the right to erasure, or the ‘Right to be Forgotten’.
The basic procedure is as follows:
Individuals will raise requests for erasure with the Data Protection Representative
Where the identity of the Data Subject has not been confirmed, the Data Protection Representative will contact the Data Subject to request proof of identity – this should be a current passport or driving license.
The Data Protection Representative will assess the appropriateness of the request and decide whether to meet it or not
If the request is to be met, the Data Protection Representative will forward on the request to the appropriate data manager(s), who will notify the Data Protection Representative when the request has been completed
The Data Protection Representative will notify the individual via email their request has been carried out, and delete any residual electronic traces of their data
If the request is not to be met, the Data Protection Representative will email the requestor explaining why this is the case and highlighting their right to complain to the ICO/supervisory authority – this will be logged
All requests will be completed within one month of receipt
As per point 2 above, individuals have the right to request all personal data we hold on them is erased, however this is not an absolute right. The Data Protection Representative will assess requests to identify whether they meet one of the following points:
The personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
The individual has withdrawn consent
The individual raises an objection to processing and there is no overriding legitimate interest for continuing the processing
Where personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
The personal data has to be erased in order to comply with a legal obligation
The personal data is processed in relation to the offer of information society services to a child
Where one or more of the points is satisfied, the personal data of the individual will be erased as per the request.
Destruction of data will be handled as follows:
Electronic Media – disposed of using a certified agency that disposes of electronic devices.
Online Records – (stored in all applications) are deleted with all backup records subsequently removed.
Paper based Records – shredded or disposed of via a certified secure shredding organisation.