1. The right to erasure
Under Article 17 of the General Data Protection Regulation (GDPR) individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
2. Circumstances in which the right to erasure applies
Clients / patients / supervisees of the North Hertfordshire Psychology Services have the right to have their personal data erased if:
the personal data is no longer necessary for the purpose which we originally collected or processed it for;
- we are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
- we are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding
- legitimate interest to continue this processing;
- we have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- we have to do it to comply with a legal obligation; or
- we have processed the personal data to offer information society services to a child.
Additionally, North Hertfordshire Psychology Services does not process data for direct marketing purposes, but should we do that and if our client objects to that processing, it would also be a condition in which the right to erasure applies.
3. Data collected from children
Within the GDPR there is an emphasis on the right to have personal data erased if the request relates to data collected from children. Collecting personal data from children will not be a common practice for the North Hertfordshire Psychology Services, however if we process data collected from children, we will give particular weight to any request for erasure if the processing of the data is based upon consent given by a child – especially any processing of their personal data on the internet.
4. Circumstances in which we would tell other organisations about the erasure of personal data
The GDPR specifies two circumstances where we need to tell other organisations about the erasure of personal data:
- the personal data has been disclosed to others; or
- the personal data has been made public in an online environment (for example on social networks, forums or websites).
North Hertfordshire Psychology Services does not intend to share personal data with others. However, should such circumstance occur we would contact each recipient and inform them of the erasure.
5. Circumstances in which the right to erasure not apply
In line with the GDPR regulations, at North Hertfordshire Psychology Services the right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
GDPR also specifies two circumstances where the right to erasure will not apply to special category data, and the North Hertfordshire Psychology Services follows these guidelines:
- if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
- if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).
6. Refusal to comply with a request for other reasons
In some well justified circumstances, North Hertfordshire Psychology Services reserves a right to refuse to comply with a request for erasure, particularly if it is manifestly unfounded or excessive.
In these cases we may occasionally:
- request a “reasonable fee” to deal with the request; or
- refuse to deal with the request.
If we refuse to comply with a request for erasure we would inform the client / patient / supervisee without undue delay and within one month of receipt of the request, providing he details of:
- the reasons we are not taking action;
- the clients’ right to make a complaint to the ICO or another supervisory authority; and
- the clients’ ability to seek to enforce this right through a judicial remedy.
We should also provide this information if we request a reasonable fee or need additional information to identify the individual.
7. Procedure of recognising a request
The GDPR does not specify how to make a valid request, and therefore at the North Hertfordshire Psychology Services we recognise that clients can make a request for erasure verbally or in writing. We also understand that a request does not have to include the phrase ‘request for erasure’ or ‘Article 17 of the GDPR’, as long as one of the conditions listed above apply.
At North Hertfordshire Psychology Services we intend to check with the requester that we have understood their request, as this can help avoid later disputes about how you have interpreted the request. We would also keep a log of verbal requests (please see Appendix A), where we would record details of the requests we receive, particularly those made by telephone or in person.
8. Compliance timeframe
At North Hertfordshire Psychology Services we will act upon the request without undue delay and at the latest within one month of receipt. We calculate the time limit from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
If the request is complex or we have received a number of requests from the same individual, we would occasionally extend the time to respond by a further two months. In this case we will let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary.
9. ID checks
In line with GDPR regulations if we have doubts about the identity of the person making the request we would can ask for more information. We would only request information that is necessary to confirm who the requester is. We would take into account what data we hold, the nature of the data, and what you are using it for.
North Hertfordshire Psychology Services would let the individual know without undue delay and within one month that we need more information from them to confirm their identity. In these cases North Hertfordshire Psychology Services will not comply with the request until you have received the additional information.
10. Procedures of information erasure
a) Electronic files kept locally
North Hertfordshire Psychology Services follows the guidelines of the International Data Sanitization Consortium (IDSC) in order to erase electronic data. The IDSC suggest that the best practice methods for the permanent erasure of personal data records are:
- Crypto erasure – with the use of encryption software that erases the key needed to decrypt personal data.
- Data erasure – with the use of software that securely overwrites data on a storage device, rendering it unrecoverable.
The electronic deletion will be documented, with a certificate generated by the software to prove erasure. This record will be available should regulators wish to audit your data records to confirm legal compliance to ‘right to be forgotten’ requests.
b) Electronic files kept on the encrypted cloud storage
North Hertfordshire Psychology Services follows the guidelines of the International Data Sanitization Consortium (IDSC) in order to erase electronic data kept on the encrypted cloud storage. North Hertfordshire Psychology Services keeps data at storage cloud hosts which are most reliable and certified as being compliant with GDPR and the most widely accepted security and privacy standards and regulations in the world, such as ISO 27001/2, ISO27018/17 and SOC 2. The data kept in cloud storage will be erased in line with the cloud storage erasure policy and procedures. A log containing a general description of what information has been destroyed will be kept.
c) Physical data
Physical data will be erased by placing them in paper shredder and further disposing of in an appropriate safe confidential waste system. A log containing a general description of what information has been destroyed will be kept.