Whereas the GDPR legislation clearly states you must not retain data longer than it is needed.
Source: https://ico.org.uk/for-organisation...egulation-gdpr/principles/storage-limitation/
It can easily be argued that once notified of someones death the reason for retention also expires. The DWP won`t be told how someone died, just the fact they have.
- You must not keep personal data for longer than you need it.
- You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
- You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
- You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
- You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
- You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.
I`m not saying it is right but it is just one of many circumstances where one arm of legislation conflicts with an event in the future that was unforeseeable at the time.
I would argue that an investigation as to why somebody has committed suicide and whether your organisation is partially/fully the cause will allow the data to be kept longer than this data has been conveniently got rid of.