UK data erasure right for stalking victims, 31 March
From Monday 31 March 2026, a new legal route helps you clear harmful traces left by stalking or harassment. If your personal data was recorded because of an unfounded allegation from the person targeting you, you can ask the organisation holding it to erase it. Parliament created this as a fresh ground for the UK GDPR “right to erasure” in section 31 of the Victims and Prisoners Act 2024, which inserts Article 17(1)(g) into UK GDPR. (legislation.gov.uk)
The test is simple to describe but strict in law. The allegation must have been made by a person the law calls “malicious” in relation to you; the organisation (the data controller) must have investigated; and they must have decided to take no further action. Only when all three elements are met can you use this new erasure ground. (legislation.gov.uk)
Who counts as a “malicious person”? The Act says it is someone who has either been convicted of a listed stalking or harassment offence against you, or is subject to a stalking protection order made to protect you. The Act lists the relevant offences across England and Wales, Scotland, Northern Ireland and certain service offences in the Armed Forces Acts. (legislation.gov.uk)
This right sits inside Article 17 of UK GDPR, which already allowed deletion in defined situations and, importantly, contains firm exemptions. If an organisation must keep data to comply with a legal obligation, to perform a public task, or for other reasons in Article 17(3), it can refuse erasure. The Information Commissioner’s Office (ICO) stresses that the right to erasure is not absolute. (legislation.gov.uk)
Let’s make it concrete. Imagine a former partner, later convicted of harassment, emails your college with a false safeguarding complaint. The college logs the allegation and investigates. When they decide there’s no case to answer, you can ask the college to erase personal data that was processed because of that allegation, citing Article 17(1)(g). The conviction means the reporter is a “malicious person” in law. (legislation.gov.uk)
Another example is work. Suppose HR receives an anonymous tip naming you, but the police later secure a stalking protection order against the tipster to protect you. If HR’s investigation closes with no action, you can request erasure of the allegation-driven record in your HR file. Routine records (pay, security passes) are unaffected because they weren’t created “as a result of” that allegation. (legislation.gov.uk)
Online spaces matter, too. If a platform logs a safety report about you from someone later found to be a malicious person, and the platform’s review closes with no action, you can ask to remove the report’s personal data about you. Where platforms must retain certain trust-and-safety logs for legal reasons, they may rely on the Article 17(3) exemptions-but they must explain this. (ico.org.uk)
What you’ll need in practice is clarity. When you write to the data controller, say you are making a right-to-erasure request under Article 17(1)(g). Point to the investigation outcome (for example, “no further action”) and show why the reporter meets the malicious-person definition, such as a court order reference or conviction details. Keep copies of anything you send or receive. (legislation.gov.uk)
Organisations have one calendar month to respond to data-rights requests, with a possible two‑month extension for complexity. The ICO’s guidance explains the timing rules and what a proper response looks like. If a controller refuses, they must tell you why and signpost you to the ICO and your right to complain. (ico.org.uk)
A quick Q&A helps here. Can you use this if the person only became “malicious” after they made the allegation? Yes-the law says the timing does not matter; what matters is that they are such a person by the time you rely on this right. (legislation.gov.uk)
Can you make the police delete an incident record? Often, no. Police process “law enforcement” data under Part 3 of the Data Protection Act 2018, which has its own erasure rules and strong public‑interest grounds to retain records. You can still ask, but expect a detailed legal explanation if they refuse. (cy.ico.org.uk)
Does this apply across the whole UK? Yes. Paragraph 32 of Schedule 11 to the Data (Use and Access) Act 2025 confirms that the section 31 amendments to UK GDPR-including the new Article 17(1)(g) and related provisions-extend to Scotland and Northern Ireland as well as England and Wales. (legislation.gov.uk)
Why add this right at all? Lawmakers heard that false, malicious allegations are a stalking tactic that can shadow someone for years in files and background checks. The government’s Explanatory Notes and Lords debate records underline that the aim is to give victims a focused tool to tidy up those traces when an allegation is closed with no action. (legislation.gov.uk)
A short glossary helps you teach this. A data subject is you, the person the data is about. A data controller is the organisation deciding why and how the data is used. An allegation is a claim about you; for this right, it must be from a legally defined malicious person. A stalking protection order is a civil order made by a court to protect someone at risk of stalking. (legislation.gov.uk)
Here’s what it means for students and staff on campus or in college. If a malicious person files a baseless complaint and the institution concludes there’s nothing to it, you can ask to delete the specific record created because of that complaint. This doesn’t wipe every mention of your name; it targets the allegation-driven data, subject to legal retention duties. (legislation.gov.uk)
And one final date to remember. The Ministry of Justice has made commencement regulations so that this right begins on Monday 31 March 2026. Keep a note of any investigation outcomes after that date-they will be the evidence you rely on if you need to use this right. (Source: legislation.gov.uk; Ministry of Justice.)