Deletion and archiving
There is a significant difference between deleting information irretrievably, archiving it in a structured, retrievable manner or retaining it as random data in an un-emptied electronic wastebasket. Information that is archived, for example, is subject to the same data protection rules as ‘live’ information, although information that is in effect inert is far less likely to have any unfair or detrimental effect on an individual than live information.

However, the ICO will adopt a realistic approach in terms of recognising that deleting information from a system is not always a straightforward matter and that it is possible to put information ‘beyond use’, and for data protection compliance issues to be ‘suspended’ provided certain safeguards are in place:
 information has been deleted with no intention on the part of the data controller to use or access this again, but which may still exist in the electronic ether. For example, it could be waiting to be over-written with other data.
o this information is no longer live. As such, data protection compliance issues are no longer applicable. (A parallel situation might be a bag of shredded paper waste. Although it may be possible to re-constitute the information from the fragments, this would be extremely difficult and it is unlikely that the organisation would have any intention of doing this.)
 information that should have been deleted but is in fact still held on a live system because, for technical reasons, it is not possible to delete this information without also deleting other information held in the same batch.
o in cases like this the organisation holding the information may be prohibited by law from using it in the same way that it might use live information. This could happen if a court has ordered the deletion of information relating to a particular individual but this cannot be done without deleting information about other individuals held in the same batch.

Putting information ‘beyond use’
The ICO will be satisfied that information has been ‘put beyond use’, if not actually deleted, provided that the data controller holding it:
 is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
 does not give any other organisation access to the personal data;
 surrounds the personal data with appropriate technical and organisational security; and
 commits to permanent deletion of the information if, or when, this becomes possible.
We will not require data controllers to grant individuals subject access to the personal data provided that all four safeguards above are in place. Nor will we take any action over compliance with the fifth data protection principle.
It is, however, important to note that where data put beyond use is still held it might need to be provided in response to a court order. Therefore data controllers should work towards technical solutions to prevent deletion problems recurring in the future.

https://ico.org.uk/media/for-organisations/documents/1475/de...

--------------------------------------------------
Note added at 4 hrs (2017-11-25 22:38:57 GMT)
--------------------------------------------------

The UK Data Protection Act 1998 (“DPA”) imposes various restrictions on “data controllers”, such as employers, when “processing” personal data relating to individuals. In particular, employers must comply with eight data protection principles when processing personal data about their employees. The Information Commissioner’s Office (“ICO”) has recently published guidance papers on two particular areas on which these principles impact: deletion of electronically stored data (including whether employers must disclose deleted or archived data in response to a Data Subject Access Request), and the use of cloud computing. This Dechert OnPoint summarises the advice provided by these guidance notes.

https://info.dechert.com/10/502/october-2012/2012-10-24---on...