Data protection also applies to hard-copy materials
The UK data protection regulator, the Information Commissioner’s Office (ICO) recently sent a strong warning that data protection law applies to hard copy data as well as electronic files.
In this case Norfolk County Council left files that included sensitive information about children in a filing cabinet sent to a second hand shop. The council was fined UK £60,000 by the ICO.
What was this case about?
The council had disposed of some furniture as part of an office move but had failed to ensure that the cabinets were empty before disposal. The issue came to light after social work case files were discovered in a cabinet purchased by a member of the public from a second hand shop. The case files included information relating to seven children.
What did the ICO say?
The head of ICO enforcement commented as follows: “For no good reason Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information. It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal.”
This matter is a timely reminder that data protection rules also apply to hard-copy materials and that having the appropriate staff and procedures in place is key to ensuring that personal information is properly looked after.
What about GDPR?
As the ICO itself highlights in this particular case, this will be all the more crucial when the EU General Data Protection Regulation (GDPR) is fully applicable from 25 May 2018 under which the £60,000 fine would be significantly more. Amongst the many compliance obligations that the GDPR imposes is the general one of “accountability”, i.e. a data controller will have to demonstrate compliance with principles relating to data processing, which applies as much to disposing of old filing cabinets as to on-line areas such as security measures.
Cordery’s Jonathan Armstrong was recently interviewed by The Independent in Ireland on the wider consequences of GDPR for hard copy data. You can find a copy of that interview here http://bit.ly/2nYbs3Z
We have written FAQS and a Glossary about the GDPR which can be found here and here. We have also designed a comprehensive set of materials to help comply with the GDPR called GDPR Navigator – for more about this please see here. We frequently write about data protection issues – for more articles see here.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|