Paper records – time for a risk assessment?
April 10, 2015
The Serious Fraud Office has recently been fined £180,000 by the Information Commissioner's Office for a breach of the seventh data protection principle ( appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data). The breach occurred after the SFO returned bags of evidence containing personal information to the wrong person. This was considered a very serious breach of the seventh data protection principle by the ICO which in their view was likely to cause substantial distress to the individual’s subject of the data.
The SFO is not the first organisation to be fined for failing to handle paper records properly. In January last year the Department for Justice Northern Ireland was fined £185,000 after selling a filing cabinet at an auction without first checking the contents. The filing cabinet contained sensitive personal information about a number of individuals. In March last year Kent Police were fined £100,000 for leaving sensitive personal information in a box at the site of a former police station.
The ICO issued nine further undertakings last year to organisations for poor handling of paper records containing personal information. These ranged from paper records found in the street, in a train station waiting room, a café, a cyclist’s lost bag and records left in a client’s home.
Organisations which are reliant on paper records for their day-to-day business need to ensure that they have robust policies and procedures in place and that staff are adequately trained to ensure that those records are kept secure.
Paper records should always form part of any data protection risk assessment or audit process. If staff members are required to take paper records with them when meeting customers or clients or when working at home they should be aware of the obligation to keep the records secure. It is particularly important to be aware of the sensitivity of the data that is contained within the paper records and the greater responsibility associated with sensitive personal information.
When relocating premises organisations which process personal information should consider performing a privacy impact assessment (PIA). Relocating to new premises should be considered a new project and a PIA would enable organisations to consider the general data protection risks associated with relocating including the storage of paper records.
As part of the PIA process a review of the paper records would be appropriate. For example dependent upon the length of time paper records have been held it may be appropriate to consider whether the personal information contained in the records is still required for the purpose for which it was collected. The longer information is stored the more likely it is to be inaccurate or out of date.
A review of policies around retention periods would also be appropriate prior to relocation and may lead to the destruction of paper records which are no longer required.
Policies around the sale of old office equipment and furniture, including filing cabinets, should also be reviewed and a final walk around the old offices may be beneficial.