Practice What You Preach - Going Digital and Data Protection

In an increasingly digital age, the need for paper is slowly diminishing, and the environmental impact of this is potentially significant.

However, if you are thinking of (or have already) moved towards a fully or partly paperless organisation, there are some data protection considerations that you will want to factor in: security, access and purpose.

Security

The main issue with going paperless is security. Exactly as you would with paper records, you have to consider whether the level of security you have set up is reasonable, taking account of the information that you are trying to protect. In data protection terms, this is the requirement under the UK GDPR to ensure appropriate technical and organisational measures are in place to protect personal data, which applies to both digital and paper records.

The UK GDPR is not prescriptive about what measures you should or should not have in place. Instead, it leaves the decision to each organisation to decide what is proportionate. When making this determination, you must take into account the "state of the art", and you can also take into account cost.

State of the art is taken to mean the highest possible level of security that you could apply to information - so what is the very best at this moment in time. You then balance that against the risks to the information, the risks to the individual if the information was compromised, and the costs of implementing these solutions.

Therefore, if you hold sensitive medical information about individuals that could lead to serious harm if released, this will require a much higher level of security that a list of trustee names that is already in the public domain.

When looking at moving to being paperless, we suggest documenting each stage of the decision-making process, with a focus on noting the reasons for any decisions made. This will likely including listing the information to be protected, identifying the risks to the information (eg phishing attacks leading to introduction of malware, targeted attacks for ransom, human error, distributed denial of service attacks (DDoS) etc), along with the likelihood of each risk. You can then identify the risks to the individuals in question if the information is compromised (eg identity theft, reputational damage etc), as well as the risks to the organisation if the information is compromised. This will then enable you to make an informed decision about the type of protection that you want to put in place (eg encryption, staff training, firewalls etc).

It's important to remember that this is not a one-time process, and security should be under regular review. This review should occur on a regular basis to assess what is the current 'state of the art' in terms of protection and whether upgrades are needed, but also after any security incident - whether or not information was compromised. This allows you to review any specific risks that might be present, and take steps to mitigate those risks. One often overlooked area here is your breach register. A good breach register will contain details of all breaches - even the near-misses. You can then analyse whether there are particular areas of vulnerability within the organisation, and take steps to minimise that vulnerability. A breach register might identify that individuals are not making use of the 'bcc' function when sending group emails, for example. This might be remedied by additional training, as well as ensuring that the bcc field is always showing when a new email is opened. You can also assess the effectiveness of these measures over time, to see whether additional measures are needed.

Access

Accessibility is another issue that is often overlooked when going digital. Whilst access controls are a common method of ensuring security, ensuring that information is accessible in case of a request to exercise rights under the UK GDPR is not always thought about. Having naming conventions for documents is one relatively simple way of identifying quickly whether a document is or might be relevant to a request. Also, when you are putting in place structures and access controls, consider how you would search for personal data if an individual made a request - does someone have overall access, or would you need to ask individuals to search areas of your system?  If you need to ask individuals, how long would this take? Is there a risk that searches could be inconsistent if not carried out centrally? It's worth bearing in mind that you only have one month to respond to most requests, and the Information Commissioner's Office is unlikely to take into account the fact that your systems make locating information difficult if you are struggling to meet the deadline.

Purpose

Finally, another issue with digital records is the increased risk of purpose drift.  When records are stored in paper form, the information is in often a specific document that is used for a particular purpose. With the digitisation of records, it's much easier to access information, meaning that there is a temptation to use information collected for one purpose for another without really thinking through the consequences of this. Whilst it can be possible to use information for an ancillary purpose, this will not always be permissible (particularly if you have not mentioned the use in privacy notices and/or are reliant on consent), so it is important to ensure that if information is digitalised, it is still only used for the purpose(s) it was collected.

Digitisation of records can be a huge benefit to charities, and to the environment! The above factors should definitely not be a deterrent - just something to think about if you're going digital, or even if you're already there - it never hurts to reassess your data protection compliance!

For more information about data protection requirements, or anything information law related, please contact Vicki Bowles on 0117 314 5672 or complete the form below.