Defensible Deletion: When Is It OK to Delete Data Under a Data Deletion Policy?