Stella Creasy MP, erasing malicious complaints and Article 17 of the UK GDPR

What can be done when a public authority hold personal information about a person which that person knows to be wrong – is there an automatic right to have that information erased?

That was the issue which faced Stella Creasy MP when someone made a malicious complaint about her parenting abilities to her local social services authority.[1] Requests to erase the information were met with a response that the authority needed to keep a full record of the complaint – even if it was malicious.

Ms Creasy’s experience has thrown a spotlight on the law which allows such an outcome, and also on a last minute amendment to the Victims and Prisoners Act 2024 which may, when the relevant part of the Act comes into force, provide some solace for similar victims of such malicious complaints.

The law is to be found in Article 17 of the UK General Data Protection Regulation (GDPR) which sits alongside the Data Protection Act 2018 (DPA). Under Article 17 individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’ and provides a right to obtain erasure of  personal data in certain circumstances. The main categories are as follows.

The first of these is where the personal data ‘are no longer necessary’ in relation to the purposes for which the information was collected. The second is where consent for processing (which includes retention) has been withdrawn and no other legal basis for retention remains. The third is where processing has been unlawful. 

What becomes clear is the limited nature of the right to erasure – just because information is ‘personal’ does not necessarily give that person total control over it.  It may be obvious that that should be the case, say, if the police hold information about an individual’s criminal record, but less obvious where a social services department records a malicious complaint or where a health authority holds records of a diagnosis which turns out to be wrong.  When erasure is requested , the most common response is that the personal data must be kept in case a similar complaint is made (malicious or not) at some point in the future; or so that medical practitioners have a full diagnostic history of a person. Thus, for example, retention of the information remains ‘necessary’ for the purpose it was collected, and exempt under Article 17 from erasure.   

How far such an approach can be justified is open to challenge especially by those who can show that the information retained may well be wrong, and a public authority is not compelled to retain the information. 

In this context the amendment made by s31 of the Act to Article 17 provides additional rights in some limited situations.

There are a number of prerequisites before the information must be erased. The information must have been processed following an allegation from a ‘malicious person’. That allegation must have been investigated by the data controller who has decided not to take any further action. There is a limiting description of who is a malicious person: essentially it is someone who has been convicted of offences such as harassment, or subject to a stalking order, where the personal data subject is the victim.

It is likely that a new government will bring this provision into force very shortly. It is unlikely that this will be the last call for greater rights of erasure of personal information.  

[1] https://news.sky.com/story/stella-creasy-mp-who-faced-malicious-report-to-social-services-claiming-she-was-not-a-fit-mother-calls-for-law-change-13023140