Many thanks for your patience, I am pleased to be able to continue assisting with your query now. First of all, I am sorry to hear about the issues you have experienced in your situation.
There is no specific law which states that such data cannot be kept for more than 3 years. The law only requires them not to keep it for longer that it is reasonably necessary sop how long that is will depend on the data and the reasons for them having it in the first place.
It is certainly not uncommon for companies to hold it for up to 6 years because that is the time limit for any contractual claims and the data could still be useful and relevant in the event of a claim between you and them.
As far as your legal position is concerned, the latest version of the Data Protection Act (DPA) is the current legislation on data protection. It outlines certain principles for individuals and organisations to adhere to when they process an individual’s personal data. Any information from which an individual is personally identifiable will amount to personal data. If a party has acted in contravention of the DPA, the person whose rights have been breached could potentially take things further and even seek compensation for damages.
The first step is to consider reporting the alleged breach to the organisation in breach to see if things can be resolved directly with them, without the need to involve anyone else.
If that is unsuccessful, the next step is to consider reporting this to the Information Commissioner’s Office (ICO). They are the regulatory body that deals with data protection breaches and have certain powers at their disposal to deal with them, such as imposing fines and sanctions. However, they will not award compensation to the victim so the only way to try and do this is by personally going through court.
What the ICO can do, if a breach is reported to them, is order the company to do any of the following:
- impose a temporary or indefinite ban on the processing of data
- force them to comply with your request
- provide any required information
- warn and admonish
- order rectification, erasure or destruction of specific data
- impose severe financial penalties and fine the company in breach
If the victim wanted to take formal legal action, they may do so and issue a claim in the civil courts. There is no need to show that financial losses have been incurred and compensation can be sought for mere distress caused by the alleged breach. The level of compensation will depend on the severity of the breach and the effects it has had on the victim. As this is often a complex area, it is advisable to seek further professional advice on the applicable rights and options.