Businesses and public bodies with large volumes of paper records face a compliance crisis in six months’ time when data protection laws are extended to paper files, management consultancy KPMG has warned.
In October the “transitional relief’ exemption to the 1998 Data Protection Act (DPA), which applies to paper files created before the legislation came into force, will be ended. This will mean paper records created before October 1998 but used since then will be subject to the requirements of the act, just as data held on computers is.
The legal change should drive organisations that have not fully digitised their legacy records to finish the job through urgent investment in electronic content management or records management systems, KPMG urged.
The consultancy warned that businesses and public sector organisations with significant volumes of paper files that included personally identifiable information would struggle to comply with simple requests from the public under the DPA.
In the public sector, paper-based records could include health, education or social work files, while in the private sector, personnel, pension and customer files could be affected. Members of the public will be entitled to know who has access to their personal data, whether it is accurate and whether it is stored securely.
Failure to supply information under the DPA within 40 days will breach the act and could damage the organisation’s reputation, Steve Kenny, privacy services leader at KPMG, warned.
“We are concerned that many organisations have not grasped the potential scale of this problem. Companies need to understand very quickly how exposed they are, before the relief period comes to an end. Worryingly, many internal audit and compliance functions may have let this slip off the radar.”
Most large organisations will now use computer systems to handle new data, but many will have a legacy of information in paper files that is difficult to manage.
Kenny said: “This is another factor in the business case for record management investment. That’s the only way you’re going to put yourself in a position to comply with this. There are two options – electronic content management, where you structure unstructured data, or digitisation through records management investment.”
Paper records held in warehouses would eventually have to be digitised if organisations were going to comply with the law. But IT departments should do this “sooner rather than later”, Kenny said.
“If investment commitments are not allowing you to digitise this information now, that does mean this will have to go to the top of the budget list in the next cycle.”
He warned: “Just imagine if this paper information is stolen when a company has knowingly been in a non-compliant situation.”
Kenny urged businesses to find out what paper records they have, where they are stored and whether the organisation has been relying on the DPA’s transitional relief measures to ensure compliance. Organisations should check to see whether paper files contain personal data.
“Transitional relief is one of the least well publicised aspects of the Data Protection Act,” he said. “If companies are relying upon it, it’s a question of when, not if, they need to get their houses in order.”