KPMG is warning that both public and private sector organisations are facing a data protection crisis as the transitional relief exemption that applied to paper files created before October 1998 is due to end in six months’ time.
Many organisations have retained paper files that reference personally identifiable information – including personnel and pension records – which have not been subjected to the full extent of the Data Protection Act (DPA).
But KPMG points out that organisations with significant amounts of archived paper-based records may struggle to comply with requests from members of the public to know whether their personal data is accurate and still retained. Under the DPA, responses must be made within 40 days.
“At a time when data protection compliance is a growing problem, custodians of our personal information hold a position of trust”, says Steve Kenny, privacy services leader with KPMG.
“We are concerned that many organisations have not grasped the potential scale of this problem. Companies need to understand very quickly how exposed they are, before the relief period comes to an end. Worryingly, many internal audit and compliance functions may have let this slip off the radar.”
The majority of large organisations will have computer based systems for the management of new data, however many will have a legacy of old information that is difficult to manage.
Kenny has the following advice for organisations that are concerned about the end of the transitional relief period:
- Establish what paper records exist, where they are stored, and whether you are relying upon transitional relief as its compliance approach
- Ascertain if the files contain personal data such as names, National Insurance numbers, records of signature or customer addresses
- Don’t get bogged down in legal definitions of ‘relevant filing systems’. This is an ambiguous concept, so apply a common sense test – ‘do these paper structured files contain personal data?’ – if they do then the full provisions of the DPA apply from October.
Kenny concludes: “Transitional relief is one of the least well publicised aspects of the Data Protection Act. If companies are relying upon it, it’s a question of when, not if, they need to get their houses in order.”