If you care enough about privacy issues to be a regular reader of this blog, you probably know that one of the Big Changes under GDPR will be the introduction of “accountability” as a legal obligation, i.e. it will now be a requirement that a data controller is able to demonstrate its compliance with the principles relating to processing of personal data set out in Article 5 of the GDPR. You may even have started thinking about what this means for your organisation: how are you going to get your development teams to adopt privacy by design and default? What are you doing about data minimisation? Do you apply appropriate levels of encryption to your personal data? In our ever-more digitally driven world, it’s easy to get caught up in the sophisticated stuff, but a recent UK ICO decision reminds us that accountability is about the simple stuff as well. Which brings us to filing cabinets.
Filing cabinets are probably not top of your GDPR issues list. They may not be on there at all. But perhaps they should be. In April 2014 Norfolk County Council had an office move, during which a third party collected some redundant furniture, including filing cabinets, which had previously been used by the children’s social work team. You can guess the rest of the story. “In the absence of a specific written procedure, it wasn’t clear whether the children’s social work team or business support were ultimately responsible for ensuring that the office furniture was empty prior to disposal.” A member of the public subsequently bought one of the filing cabinets from a second hand furniture shop. On delivery it transpired that the cabinet contained case files including sensitive information about seven children.
The Information Commissioner concluded that there had been a breach of the seventh data protection principle because “Norfolk did not have in place appropriate organisational measures for ensuring so far as possible that such an incident would not occur, i.e. for ensuring that the office furniture was empty prior to disposal. In particular, Norfolk did not have an adequate written procedure governing how office furniture disposal should be managed.” It fines Norfolk £60,000, a not insignificant sum when you consider that another data controller has just been fined £70,000 for sending 3 million unsolicited marketing emails. Suddenly filing cabinets start to look a bit more important.
Of course, this isn’t really just about filing cabinets. Back in 2013, commenting on the draft GDPR, the ICO memorably said there needed to be “more emphasis on outcomes rather than processes,” but this latest decision brings home what will become a legal obligation under the GDPR, demonstrating that if you get the wrong outcome, it will be very important to show that you at least had the right process in place to start with.
Maybe now is the time to do a spot of Spring cleaning, empty out those filing cabinets of your current policies and procedures, identify any gaps, and most importantly, make sure that your workforce is aware of what is expected of them.