Empower users to delete requester_only not_foi material

[RichardTaylor]

This idea is an alternative or perhaps additional approach to :

• Ability to set a request to self destruct and send the user a download link #7393

for dealing with correspondence which is not a request for public information.

If users were empowered to delete such material we might be able to say that they were the data controller in respect of it, and avoid legal risk associated with us holding special category and criminal offence data in such correspondence threads.

[RichardTaylor]

We could extend this idea to requester_only material which is part of a FOI request/response, eg. accidentally or inappropriately released material which we have decided not to publish. We wouldn't want to enable users to delete material we were considering republishing and had only removed from public view temporarily though.

This could shift data protection risk / responsibility from site operators to users. It could also empower users to delete material they no-longer want, or can no-longer justify, having.

I've raised this idea here in a comment to avoid ticket proliferation, we can always tweak the title if allowing users to delete more material is considered a good idea after discussion.

[garethrees]

Probably want this deletion to happen in a way that leaves an explanation (#7414).

[RichardTaylor]

This approach appears to get us into the territory of being joint data controllers with our users, the ICO offers advice on this subject:

• How do you determine whether you are a controller or processor?

and

• What does it mean if you are joint controllers?

There is some related Pro specific private discussion at: https://github.com/mysociety/whatdotheyknow-private/issues/47#issuecomment-1318462607

[RichardTaylor]

This approach appears to get us into the territory of being joint data controllers with our users,

During discussion it has been noted that many WhatDoTheyKnow users are individuals whose use of the service may be covered by the exemption from GDPR for "processing of personal data by an individual in the course of a purely personal or household activity".

https://www.legislation.gov.uk/eur/2016/679/article/2

Can an organisation be a joint data controller with an individual carrying out activity which isn't subject to GDPR?

[RichardTaylor]

This should only apply to material where the final decision is to leave it requester_only (which could be approximated as being left as requester_only for say 8 weeks)

[RichardTaylor]

Note we'd want to retain prominence reasons

[HelenWDTK]

This issue has been automatically closed due to a lack of discussion or resolution for over 12 months.
Should we decide to revisit this issue in the future, it can be reopened.