Out-Law News 2 min. read
26 Apr 2007, 1:19 pm
In six months' time an exemption from the Data Protection Act will expire. The transitional relief exemption allowed some paper files to escape the control of the 1998 Act for a limited period in order to give organisations time to organise those files so that they would comply.
Some analysts, including consulting and audit firm KPMG, have warned that this will result in a crisis as mountains of paper files suddenly come under the control of the Act.
"Those organisations with significant amounts of paper based records will struggle to comply with simple requests from members of the public who want to know who has access to their personal data, whether it is accurate and confirmation that it is stored securely," said a KPMG statement. "Failure to supply this information within 40 days will breach the DPA and could damage the organisation’s reputation."
But according to Rosemary Jay, a data protection expert with Pinsent Masons, the law firm behind OUT-LAW.COM, the exemption did not apply to all paper files and is likely to affect only a few organisations.
"It is hard to see where any normal data controller is likely to have significant problems," said Jay. "The end of the transition period only affects information held on structured manual files – not all manual files – so it is not applicable to all old pieces of paper."
The Act does not apply to files that have been removed or destroyed, and any existing structured files will most likely have material added to them since the Act came into place in 1998. That means that any file is almost certain to already be treated in a manner compliant with the Act, said Jay.
"The reality is that since this only applies to information held in these structured files, and the rest of the file – that is the information generated since 1998 – has been subject to the DPA anyway since the Act came into force, data controllers have been treating all the information in the same way," she said. "They don't take out the old papers on the file and hold them in an insecure manner. So the end of transition makes only a technical difference there."
KPMG has warned that, "in the public sector, such paper based records could include health, education and social work records, while in the private sector, personnel, pension and customer files may be affected".
But Jay said that public records are unlikely to be particularly affected because people have long been permitted to view them in the way the Act orders. "As far as subject access is concerned the most sensitive things have been available since way before 1998 because medical records and local government records have been available since the 1980s. In the public sector subject access has been available to all paper files since January 2005," she said.
Meanwhile, the Information Commissioner's Office, which polices the Data Protection Act, is investigating Barclays Bank following a BBC investigation which uncovered alleged privacy breaches at the bank.
The Whistleblower programme used undercover filming to uncover staff being told by trainers to ignore customers' wishes that they not be contacted for marketing purposes, and staff accessing customers' accounts with a valid reason.
"The ICO takes breaches of people's privacy extremely seriously," said Mick Gorrill, head of the Regulatory Action Division at the ICO. "Making sales calls to people who have expressly asked not to be contacted is totally unacceptable. We have asked Barclays Bank to provide a range of information to help with our investigation. We will report publicly on this investigation once it is completed."
