The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.


You have appropriate methods and procedures in place within your organisation to delete, suppress or otherwise stop processing personal data if required.

Ways to meet our expectations:

  • You erase personal data from back-up systems as well as live systems where necessary, and you clearly tell the individual what will happen to their data.
  • If the personal data is disclosed to others, your organisation contacts each recipient to inform them about the erasure, unless this is impossible or involves disproportionate effort.
  • If asked to, your organisation tells the data subject which third parties have received the personal data.
  • If personal data has been made public in an online environment, you take reasonable steps to tell other controllers, if they are processing it, to erase links to, copies or replication of that data.
  • Your organisation gives particular weight to a request for erasure where the processing is or was based on a child’s consent, especially when processing any personal data on the internet.

Can you answer yes to the following questions?

  • Would staff say there are effective processes in place to erase personal data?

  • Would requesters say they were given clear information about the steps you took?