Despite the increase in paperless offices, many businesses still struggle with ensuring their manual records comply with EU and UK data protection laws. One key question to ask at the outset is, of course, whether those manual records even amount to personal data all. The GDPR tells us that only manual records that form part of a filing system or are intended to form part of a filing system will be personal data. It then defines a filing system as “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”.
So far so good, but what does that mean in practice? If notes are left on a desk in chronological order, is that structured enough? What about a lockable cabinet with files on individuals ordered alphabetically according to the individual’s last name? Current GDPR guidance from the ICO on manual records is limited but helpfully, the latest Court of Appeal decision in the Dawson-Damer v Taylor Wessing saga is likely to be of assistance.
Although decided under the Data Protection Act 1998 (DPA 1998), this decision will likely have relevance for manual records under the GDPR as well. One of the key issues disputed was whether certain paper files, ordered chronologically, would need to be reviewed and personal data extracted from them in order to comply with a subject access request. The question for the Court of Appeal was whether those files were part of a ‘relevant filing system’ (the DPA 1998 version of a GDPR ‘filing system’) and thus personal data. In particular, was the structure of the files such that the information requested could be easily or readily retrieved? Here, the only way this could happen was by using trainees and skilled lawyers physically examining the files page by page. The Court of Appeal concluded this was a clear indication that the structure itself did not enable ready access to the data and that, as a result, the paper files were not held in a relevant filing system.
The Court also referred to the ICO’s ‘temp test’ (ie could a reasonably competent temporary admin assistant without any particular knowledge of the type of work or the documents you hold be able to extract specific information about an individual). So there remains some support and acknowledgement of this test as a useful rule of thumb.
This decision will be reassuring for many, especially given how burdensome subject access requests are for businesses and that previous decisions had resulted in a wider scope for relevant filing systems. It will also provide comfort beyond the sphere of individuals’ rights – if a larger proportion of manual records will not be personal data then they will be out of the scope of the wider GDPR obligations as well, for example around accuracy, security and retention.
Having said that, it would probably be sensible to ensure such records are not kept for longer than necessary and still kept secure. In some cases, it will be easier to adopt a stricter policy across a broader range of records rather than spend time allocating different policies to different types of manual records. It is also unclear whether a regulator or court would conclude that manual records that were not part of a filing system but were accessed and re-organised (e.g. by a ‘rogue’ employee) would then be subject to the GDPR… But overall, a positive development for many grappling with the wide scope of personal data.