It’s a common misconception that GDPR only applies to electronic data, but in actual fact physical records and data are also caught under the Act.
Late last year, the ICO prosecuted a London pharmacy for its poor paper record storage.
£275,000 fine for poor paper record storage
The pharmacy in question kept patient data at the back of its premises in old, unlocked crates. An estimated 500,000 documents were stored there, some of which were water-damaged because they weren’t protected from weather. The company was fined £275,000 and received national press coverage for being the first company fined for breaching GDPR rules.
The documents were no longer needed but hadn’t been securely destroyed. They contained detailed medical information and the ICO determined that the company had failed to consider the risks of the data processing being carried out.
Top tips for better paper record storage
- Only keep what you need
The pharmacy fined by the ICO had over two years’ worth of records – and no written reason to keep them for that long. If you don’t need to hold on to sensitive paper records, then shred them as soon as you’ve finished with the documents. - Store paper records safely
The way the documents were stored was a huge concern to the ICO. Although the storage area had locked gates, the crates themselves were unlocked and not weather resistant. If these records were important, they should have been kept in a secure, dry place. - Review your archives
It’s easy for old document storage archives to build up. It can take extra work to review and discard of older stuff you don’t need any more and many of us have a ‘keep it just in case’ approach. Make sure you have a clear system that helps you to work out when to destroy older records. Your data retention policy should be clear on how long you’ll keep documents.
There are several other lessons from this fine, and the ICO has clearly stated it expects ‘special category’ data to be treated with the utmost care. Make sure you are storing your paper records compliantly under GDPR!
Reproduced with thanks to Astrid GDPR.