Overview

This procedure has been developed to enable effective responses to requests to realise the right to erasure, or the ‘Right to be Forgotten’. 

Procedure

The basic procedure is as follows:

  1. Individuals will raise requests for erasure with the Data Protection Representative 

  2. Where the identity of the Data Subject has not been confirmed, the Data Protection Representative  will contact the Data Subject to request proof of identity – this should be a current passport or driving license.

  3. The Data Protection Representative  will assess the appropriateness of the request and decide whether to meet it or not

  4. If the request is to be met, the  Data Protection Representative will forward on the request to the appropriate data manager(s), who will notify the Data Protection Representative when the request has been completed

  5. The Data Protection Representative will notify the individual via email their request has been carried out, and delete any residual electronic traces of their data

  6. If the request is not to be met, the Data Protection Representative will email the requestor explaining why this is the case and highlighting their right to complain to the ICO/supervisory authority – this will be logged

  7. All requests will be completed within one month of receipt

Assessing Requests

As per point 2 above, individuals have the right to request all personal data we hold on them is erased, however this is not an absolute right. The Data Protection Representative will assess requests to identify whether they meet one of the following points:

  • The personal data is no longer necessary in relation to the purpose for which it was originally collected/processed

  • The individual has withdrawn consent

  • The individual raises an objection to processing and there is no overriding legitimate interest for continuing the processing

  • Where personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)

  • The personal data has to be erased in order to comply with a legal obligation

  • The personal data is processed in relation to the offer of information society services to a child

Where one or more of the points is satisfied, the personal data of the individual will be erased as per the request. 

Erasing Data

Destruction of data will be handled as follows: 

  • Electronic Media – disposed of using a certified agency that disposes of electronic devices.

  • Online Records – (stored in all applications) are deleted with all backup records subsequently removed.

  • Paper based Records – shredded or disposed of via a certified secure shredding organisation.