Do companies really delete our data when we close an account

Do you trust that your personal data has been deleted when you close an online account? The Information Commissioner's Office does provide guidance on the matter, but it's not always clear what an organisation's policy is.

Should organisations do more to bolster our trust in this area? What steps could they take, and what would be the benefits and drawbacks to consumers?

Posted by Scott Milne on 23rd Mar 2017
Login to join the conversation

Comments (3)

Denis McMahon

07 August 2018

In some cases it is appropriate to retain personal data after an account has been closed. For example, after changing energy supplier a while ago, there was a long period of follow-up, because of queries over the settlement of the bill. Hence the account remained open even though we were no longer being supplied with energy.

On the other hand, when I closed an account with a job agency, I was notified that closing the account would irretrievably delete all my personal data. The position was made clear.

There seems to be a case for more transparency here. It seems reasonable that we be informed for how long our data will remain in store, or that we are informed when it is about to be deleted, with some choice offered.

David Sturt

18 May 2018

Why should closing an online account be a trigger for deleting personal data? It is quite reasonable for an organisation to keep a record of personal data for as long as they are legally required to, for example as evidence they received money from someone they supplied goods or services to. Also, they may need their information to support contractual services that may extend beyond account closure, for example under warranty return to an online shop.

Closing an account my trigger the start of a process but depending on the nature of the account it could be many years before personal data is deleted or put beyond use.

Dave Shortstriders Donaghy

12 April 2017

If they did, how would we know? For that matter, how would they know? What procedures could a CIO put in place to ensure that all data that needs to be deleted has been deleted?

This passage from the guidance seems relevant:

"The ICO will be satisfied that information has been ‘put beyond use’, if not actually deleted, provided that the data controller holding it: * is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way; * does not give any other organisation access to the personal data; * surrounds the personal data with appropriate technical and organisational security; and * commits to permanent deletion of the information if, or when, this becomes possible."

That would seem like a sensible starting point for establishing test criteria to verify that an individual's data has been "put beyond use".