Stockholm University has two fundamental principles which must be adhered to:
- Public documents shall be stored
- Personal data shall not be stored longer than necessary.
Even if the Archives Act stipulates that public documents shall be stored, there is one paragraph in the Act that allows public documents to be deleted, on the condition that the archived material which remains provides for:
- the public right to transparency
- the need for information for administration of justice
- research needs
Deletion entails the destruction of public documents or information in public documents or institutes other measures with documentation which entails
- loss of significant data
- loss of potential compilations
- loss of search possibilities
- loss of the possibility of assessing the authenticity of the documentation
Deletion is an infringement of that part of the principle of public access to official records (the right to have access to public documents) which is regulated in the Swedish Freedom of the Press Act. In order to delete a public document, regardless of whether it contains personal data or not, requires support in the regulatory framework. The IT service of authorities also needs to have functions which enable the differentiation of information which shall be kept from information which shall be deleted (see also Instructions for Privacy by Design). [df1] Working documents, on the other hand, maybe cleared out. No regulatory support is required.
What does GDPR say about storage and deletion?
Once a piece of personal data no longer needs to be processed for the original purpose it should be deleted or anonymized. There is an exception to the main rule in article 5.1 which states that such data may be stored for longer period than would normally be the case if said data will only be processed for
- archiving purposes in the public interest or
- scientific or historic research purposes or
- statistical purposes
This extended storage time is valid to the extent that appropriate technical and structural measures are taken to ensure the freedoms and rights of the subject of the data. However, the right to deletion ("to be forgotten") does not apply to the extent that processing is necessary for archiving purposes of public interest, scientific or historical research purposes, or statistical purposes pursuant to article 89.1., to the extent that the right to be forgotten would probably prohibit or severely inhibit the achievement of the purpose of the processing. Personal data which is processed only for archiving purposes of public interest may not be used to undertake measures relating to the subject of the data, other than if there are special reasons related to the vital interests of the subject.
Sensitive personal data may, with the support of article 9.2 j in the GDPR, be processed for archiving purposes of public interest if such processing is necessary for the personal data controller to be able to follow the regulations on storage andmaintenance of archives.