Physical, or Hard-Copy, Data Best Practice Under GDPR
In this article we’ll be taking a look at how to ensure physical records processes don’t fall foul of the General Data Protection Regulation. The headlines in the run-up to implementation made much of the Regulation’s impact on digital data, with plenty of focus on the changes the tech titans were required to make to online and digital platforms. All firms, however, should be aware of the obligations the GDPR places on business with regard to physical – paper and hard-copy – data.
It’s true that the GDPR deals with aspects of technology that previous privacy law did not take into account, however, the Regulation doesn’t ignore paper documents and records. All firms should ensure that their procedures for physical records are as robust as for cyber security and digital data storage. It’s worth considering the definition of physical data, and the answer might be surprising. The GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person – this includes names and identification numbers, plus location data or any unique aspect of that individual that can be linked directly to them. For example, card numbers, dates of birth and telephone numbers can all be used either individually or linked with other information to identify an individual person. And although most firms have, by now, assured the online safety of these identifiers when stored within a digital system, when they are, for example, jotted down on a notepad, their creation, storage and destruction should be considered with as much care as for digital records. Here, we’ll take a look at some of the elements firms should ensure their processes, procedures and staff training consider.
Many firms will already have clear-desk rules. These may be unwritten, or just an example of good practice. It’s a good idea to ensure that any unwritten rules are solidified within updated procedures – whether as part of a general data policy or as a stand-alone procedure – and within staff training and testing. The policy should cover all paper records containing any information that can be used to identify an individual – whether on their own or in conjunction with another piece of information. This can include anything from a telephone number noted on a post-it, to a contract. Staff should be well trained in day-to-day practices. Jotting down the personal information of individuals, whilst never good practice, becomes more potentially damaging under the GDPR.
Policies and training should also consider copies of documents – unnecessary duplication of documents that then become difficult or impossible to trace, can lead to human error and insecure storage or disposal.
Where operations include processes where staff need to make notes, for example to complete data checks, policies could set out that notes are to be made within a word processing document and then deleted without saving, rather than noting the information physically. Where purchases are part of operations, procedures may also set out that no member of staff is permitted to physically write down card numbers of customers. Staff members should be sure of policy regarding the disposal of information not to be locked in a filing system at the end of each shift or working day – ideally, physical data or temporary records that are not to be stored should be destroyed via robust confidential waste systems. The policy should set out that staff are responsible for ensuring that their working area – whether individual or joint, are clear of any personal data when the areas (e.g. desks, unlocked cabinets) will be unattended or at the end of the working day.
Most firms will be aware of the importance of computer security, and that workstations must not be left logged into while unattended. To ensure high standards of information security, firms should ensure that staff passwords are changed regularly. The definition of regular will depend on the operation, but certainly once every six months. Equally, passwords should ideally be memorised, and not noted down somewhere for any length of time. It might not be reasonable to require each member of staff to memorise a new password immediately, but certainly any notes should not be left unattended by the workstation or laptop they relate to.
Firms dealing with particularly sensitive data or where data is used in a more public setting should also consider the use of privacy filters on screens. Privacy filters would be particularly useful in a situation where a staff station is on a public floor or based somewhere that individuals who are not subject to a duty of confidence could be able to see the information.
Whilst it’s up to each individual firm to interpret the new Regulation and the Data Protection Act 2018 to ensure robust procedures and best practice, it’s certainly worth considering the effect of a breach. The Supervisory Authority – in the case of the UK, the Information Commissioner’s Office – is able to impose fines of up to €20 million, or 4 per cent of annual global turnover, whichever is higher, in the event of a finding of compliance failure. Having distinct physical data procedures and staff training in place ensures that staff are clear about what’s expected and can limit possible breaches. In addition, if a breach does occur, any investigation by the ICO will focus on evidence that the firm has made efforts to comply with the Regulation and legislation, and procedure documentation and evidence of staff training and testing can comprise valuable evidence for firms under investigation.