GDPR and Archive Storage
GDPR Applies to Paper Archives Not Only Online Records
Many businesses and other organisations are legally obliged to keep records for a defined number of years.
These records, for example, legal documents and health records, are often in printed form and it may not have been possible to convert them into digital records.
However, paper records can soon start eating up space and one solution has been for organisations to store them with self-storage companies.
The new GDPR (General Data Protection Regulations) rules about keeping records containing personal information came into force in May this year, and the focus has been largely on the security of digital records. But many do not realise that the regulations also apply to paper records.
The responsibility is with the organisation or company that is archiving the records, not with the storage company.
Self-storage offers 24/7 access to clients in secure locations, which takes care of one aspect of the GDPR regulations.
However, there are several steps that record owners must take to comply.
Regulations
The aim of the regulations is to allow access and right to request removal of information to the individuals whose information is being kept. Although there are exemptions, such as with health records, but the organisation must register with the Information Commissioners Office (ICO) as an exempt organisation.
In principle, if a person requests removal of all or part of their information the record-keeper must comply. An organisation must be able to fulfil this request.
This means that a specific person within the organisation must be appointed as Data Manager/Processor.
Storing Records
Access to the records, and therefore keys or codes for the storage facility, must be limited to named individuals from the organisation storing archives at the facility.
There needs to be clear documentation of the records being stored and the details they contain. It must be accessible so that records can be quickly found if an individual asks to see their records. There must also be a record of whether there are multiple copies of records.
The list must be regularly updated so that any changes can be noted easily.
Records must only be kept for as long as necessary and there are penalties if an organisation doesn’t comply. However, if an organisation keeps personal data to comply with a legal requirement it will not be considered to have kept the information for longer than necessary.
The ICO website contains a great deal of useful information on the rules and regulations and on exemptions.