In six months' time an exemption from the Data Protection Act
will expire. The transitional relief exemption allowed some paper
files to escape the control of the 1998 Act for a limited period in
order to give organisations time to organise those files so that
they would comply.
Some analysts, including consulting and audit firm KPMG, have
warned that this will result in a crisis as mountains of paper
files suddenly come under the control of the Act.
"Those organisations with significant amounts of paper based
records will struggle to comply with simple requests from members
of the public who want to know who has access to their personal
data, whether it is accurate and confirmation that it is stored
securely," said a KPMG statement. "Failure to supply this
information within 40 days will breach the DPA and could damage the
organisation’s reputation."
But according to Rosemary Jay, a data protection expert with
Pinsent Masons, the law firm behind OUT-LAW.COM, the exemption did
not apply to all paper files and is likely to affect only a few
organisations.
"It is hard to see where any normal data controller is likely to
have significant problems," said Jay. "The end of the transition
period only affects information held on structured manual files –
not all manual files – so it is not applicable to all old pieces of
paper."
The Act does not apply to files that have been removed or
destroyed, and any existing structured files will most likely have
material added to them since the Act came into place in 1998. That
means that any file is almost certain to already be treated in a
manner compliant with the Act, said Jay.
"The reality is that since this only applies to information held
in these structured files, and the rest of the file – that is the
information generated since 1998 – has been subject to the DPA
anyway since the Act came into force, data controllers have been
treating all the information in the same way," she said. "They
don't take out the old papers on the file and hold them in an
insecure manner. So the end of transition makes only a technical
difference there."
KPMG has warned that, "in the public sector, such paper based
records could include health, education and social work records,
while in the private sector, personnel, pension and customer files
may be affected".
But Jay said that public records are unlikely to be particularly
affected because people have long been permitted to view them in
the way the Act orders. "As far as subject access is concerned the
most sensitive things have been available since way before 1998
because medical records and local government records have been
available since the 1980s. In the public sector subject access has
been available to all paper files since January 2005," she
said.
Meanwhile, the Information Commissioner's Office, which polices
the Data Protection Act, is investigating Barclays Bank following a
BBC investigation which uncovered alleged privacy breaches at the
bank.
The Whistleblower programme used undercover filming to uncover
staff being told by trainers to ignore customers' wishes that they
not be contacted for marketing purposes, and staff accessing
customers' accounts with a valid reason.
"The ICO takes breaches of people's privacy extremely
seriously," said Mick Gorrill, head of the Regulatory Action
Division at the ICO. "Making sales calls to people who have
expressly asked not to be contacted is totally unacceptable. We
have asked Barclays Bank to provide a range of information to help
with our investigation. We will report publicly on this
investigation once it is completed."
