All processing of personal data in the UK must be carried out in compliance with the Data Protection Act 1998 (DPA). The fifth data protection principle in the DPA requires that personal data are not kept for longer than is necessary for the purpose for which it was collected. This principle would apply to any personal data contained in complaints against former employees, including those that are later withdrawn. The Information Commissioner's Office (ICO) is responsible for investigating and enforcing compliance with the DPA. Any concerns that a data controller is not complying with the Act may be referred to the ICO.