Norfolk County Council has recently been fined £60,000 by the Information Commissioner’s Office for a breach of the seventh data protection principle (appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data). The breach occurred after a third party collected some furniture from NCC as part of an office move. A member of the public purchased one of the filing cabinets which contained case files containing sensitive information about seven children. This was considered a very serious breach of the seventh data protection principle by the ICO. It was the view of the ICO that the loss of the case files was likely to cause substantial distress to the individuals concerned.
Norfolk CC is not the first organisation to be fined for failing to handle paper records properly. The Department for Justice Northern Ireland was fined £185,000 after selling a filing cabinet at an auction without first checking the contents. The filing cabinet contained sensitive personal information about a number of individuals. Kent Police were fined £100,000 for leaving sensitive personal information in a box at the site of a former police station.
Organisations which are reliant on paper records for their day-to-day business need to ensure that they have robust policies and procedures in place and that staff are adequately trained to ensure that those records are kept secure.
Paper records should always form part of any data protection risk assessment or audit process. If staff members are required to take paper records with them when meeting customers or clients or when working at home they should be aware of the obligation to keep the records secure. It is particularly important to be aware of the sensitivity of the data that is contained within the paper records and the greater responsibility associated with sensitive personal information.
When relocating premises organisations which process personal information should consider performing a privacy impact assessment (PIA). Relocating to new premises should be considered a new project and a PIA would enable organisations to consider the general data protection risks associated with relocating including the storage of paper records.
As part of the PIA process a review of the paper records would be appropriate. For example, dependent upon the length of time paper records have been held it may be appropriate to consider whether the personal information contained in the records is still required for the purpose for which it was collected. The longer information is stored the more likely it is to be inaccurate or out of date.
A review of policies around retention periods would also be appropriate prior to relocation and may lead to the destruction of paper records which are no longer required.
Policies around the sale of old office equipment and furniture, including filing cabinets, should also be reviewed and a final walk around the old offices may be beneficial.