Data Storage, data protection and the IICSA

The type of information stored, how, where and why it is stored will undoubtedly be an issue of interest within the IICSA.  Why has one organisation kept information while others have destroyed it, what policies existed within different organisations and how information may have been destroyed bring the influence of the Data Protection Act 1998 (DPA) into focus for many organisations.

The DPA sets, in the first data principle, a basic requirement that the storage of data and the sharing of that data must be fair and lawful.  This must be a basic requirement if victims are to feel comfortable coming forward with complaints or concerns.  They must be satisfied that the information they provide will be handled sensitively, confidentially and lawfully.  If that basic element is not in place the confidence in the organisation will be eroded and the work done in recent years to encourage victims will be lost.

Another of the requirements under the DPA is that information must only be retained for as long as it is needed to fulfil the purpose for which it was taken.  This creates a balancing act for organisations to ensure that they keep information securely for as long as it is needed but do not retain it unnecessarily.  The IICSA has consulted with the Information Commissioner and issued guidance on the retention of documents. In essence, if a document needs to be kept for possible consideration by the IICSA then to do so irrespective of how old it is will not be a breach of the DPA. With the IICSA asking for documents as far back as the 1940’s the need to retain all relevant documentation is made clear.

In the years since the DPA many organisations have developed data handling policies and will have reviewed the information they held in light of those new policies.  Many will have decided to destroy old information relating to children, staff and events.  There may now be concern that they will be criticised for that.  Others will now have documents and data that have exceeded their storage policy guidance as they are retaining it for possible inclusion in the IICSA.

So where does that leave us?  In essence it highlights the need for careful consideration of the documents held and destroyed, the policy documents and review of the same and the need to be able to show good paper trails.  Past destruction of documents (before June 2015) is not in itself a reason for criticism but a reasoned explanation will be required. Any destruction after June 2015, when the IICSA requested that all documentation of relevance be obtained, will be treated differently and is potentially a criminal offence.

In preparing for possible involvement in the IICSA now is an appropriate time for a review of existing policies, to ensure that they are amended so there is retention of all relevant documents, as well as establishing what documentation still exists and being prepared to be able to explain when and why in the past documents have not been retained.


Written by Fintan Canavan, partner

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s