Paper Records and Data Protection Law
Does GDPR Cover Paper Records? The European Union’s General Data Protection Regulation came into force in May of 2018 and sought to update decades-old regulations, allow greater protection for the personal information of citizens, as well as imposing a much greater degree of responsibility upon organisations handling and processing personal data.
As with many legal and legislative matters, before we can answer as seemingly simple questions, such as does GDPR cover paper records? we must first take a moment to define some key concepts.
What is Personal Data and GDPR?
Personal data can come in many forms, but in its technical definition refers to any information relating to an identified or identifiable natural person (i.e. the data subject).
Personal data can include location data, a name, medical information or social or economic information which can be used to help identify said natural person. Put simply, personal data is information that relates to an individual.
The GDPR covers the processing of this data in several ways, including wholly or partly automated processing, or personal data being processed in a wholly non-automated manner, such as in the case of paper recording being used as part of a ‘filing system’.
Does GDPR Cover Paper Records?
To offer the greatest level of protection, one of the objectives of the GDPR was to be “technologically neutral” and not dependant of techniques used in the processing of data.
If you are holding or processing personal data in the form of paper records, as part of a ‘filing system’, as opposed to an ‘unstructured paper record’, this is not covered by the GDPR specifically, but is covered, for example, by the UK’s Data Protection Act (DPA 2018) with the aim of ensuring appropriate protections for possible Freedom of Information Act 2000 related requests and adequate protections for the data rights of citizens.
Structured vs Unstructured
Though this all may sound a little confusing, it is worth understanding how this translates to your organisation.
A structured set of personal data needs to be ‘accessible according to specific criteria’, for example a filing cabinet where specific information can be looked up and accessed; whereas unstructured would describe loose documents scattered across a desk, or physical notes not arranged in a manner intended for later categorisation or search.
Importantly, though how personal data is being stored makes the applicability of the GDPR debatable, the UK’s DPA 2018 should always be considered when handling, storing, or processing personal data in any format or manner.
Protecting Personal Data
As the UK’s Information Commissioner’s Office points out, personal data “only includes paper records if you plan to put them on a computer (or other digital device) or file them in an organised way.
“If you are a public authority, all paper records are technically included – but you will be exempt from most of the usual data protection rules for unfiled papers and notes.”
Though there may be many nuances to the applicability of the GDPR to various formats of personal data, the answer to the question ‘does GDPR cover paper records?’ should be widely regarded as yes.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.
How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.
How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by https://reciprocitylabs.com/.
What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security
University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.
What is the Purpose of the Data Protection Act? Blog by information security awareness training solution provider Hut Six Security.
Top 3 Remote Work Security Lessons: remote work security blog by information security awareness provider Hut Six Security.
Who Regulates the Data Protection Act? Data Protection Blog by Information Security Awareness Training provider Hut Six Security
NHS phishing attack sees email accounts compromised as part of an attack targeting a wide range of organisations Blog by Hut Six Security.
Who Enforces the Data Protection Act? Principles, Protections and Penalties. Blog by Information Security Awareness Training provider Hut Six Security.