What Happens to Personal Data After Someone Dies?
13 October 2020
The emergence of a digital world that is becoming increasingly important in people’s lives has brought many challenging legal and ethical questions. When the internet was created, it was not necessarily planned to be a platform for people to store and share vast amounts of personal information – photos, emails, important documents, financial and health records.
A huge digital footprint can be left over many years of using various services and can tell you a great deal about the life of a person – where they lived, where they worked, who they liked and who they didn’t like so much (!). Our online personas do not always represent the real person at the heart of it, so could present a misleading picture of someone’s offline self. People tend not to have dusty boxes of letters and photos stored in their attics anymore, but now there are the electronic equivalents.
When the internet’s user base exploded in around the turn of the 21st century, the majority of users were younger people and the thought of what happened to online profiles and the associated personal data after someone died was not at the forefront of most people’s minds. Some reports stated that around 30 million users died in the first eight years of Facebook’s existence, and this was not something that the online world was necessarily prepared for. But many social media sites have now dedicated functions and processes to deal with a person’s information after they have died, such as adding a “legacy contact” who can manage a “memorialised” account. Google have a feature called “Inactive Account Manager”, which allows you to make choices about what happens to your information if you are no longer able to access it (for any number of reasons).
This may all sound like very morbid future planning but it can be as important as ensuring your finances and property are dealt with via a will. Accessing personal data relating to or held in a deceased person’s online account is an issue that can have real significance, whether it is to access information that could relate to a legal matter or for purely sentimental reasons. Think about information that might reveal a person was having an affair or had some other secret that was not known during their life. It can have a huge impact on their loved ones or others who knew them – there can be a lot to think about when making decisions about who you want to see this information in years to come.
Data protection legislation only applies to an “identified or identifiable natural person”, this being a person who is alive. So, in theory, many data protection obligations cease to exist once a person has died. Depending on the nature and context of the personal data, there can be an ongoing duty of confidentiality owed to the person even after they have died, with a doctor or health professional, for example. This could be of relevance with the growth of many health-related apps and online services. And in England, Wales and Scotland, the Access to Health Care Records 1990 comes into play when wanting to access such records and it is normally a patient’s personal representative (such as an executor of their will) who may be able to access certain records.
There also needs to be thought about other people (who may still be alive) whose personal data is contained in emails, documents or photos and is within scope of data protection legislation. Health records can reveal genetic information that may also constitute the personal data of a relative or emails may include discussion of another person. Their rights must be considered as well. But there will be vast amounts of formerly personal data relating to people who have died sitting in dormant social media or storage accounts that may never be seen or accessed.
So, companies need to consider their retention of information once an account becomes inactive. And how does a company know that someone has died at all? In most cases, they won’t know that unless they are told and many have created mechanisms for people to inform them someone has died. There is then a verification process to ensure the information provided is accurate, for example providing a will or estate letter.
Some companies in the cheerily titled “death-tech” sector are also providing solutions as a way for people to manage their online life across the numerous accounts they have and to make decisions about who you are happy to access certain information after you die. And none of the above touches on other legal considerations such as copyright ownership, intellectual property and potential libel issues, which can be equally thorny.
So, while it may not be the most pleasant of issues to deal with, it is important to think about how much of your life is held online, what you want to happen to it and who you are happy to have access to your information once you die.
If you’ve spent lockdown dreaming about launching your own CBD startup, in many ways there’s never been…
Max Schrems sits down next to me as the Q&A at the Data Protection conference starts. I have positioned myself in the far corner of the…
Senior technology lawyer Ed Boal was joined by data protection…
Get in touch
We’d love to talk about how we can help your business.
Subscribe to our newsletter