Paper Records and Data Protection Law

Does GDPR Cover Paper Records? The European Union’s General Data Protection Regulation came into force in May of 2018 and sought to update decades-old regulations, allow greater protection for the personal information of citizens, as well as imposing a much greater degree of responsibility upon organisations handling and processing personal data.

As with many legal and legislative matters, before we can answer as seemingly simple questions, such as does GDPR cover paper records? we must first take a moment to define some key concepts.

What is Personal Data and GDPR?

Personal data can come in many forms, but in its technical definition refers to any information relating to an identified or identifiable natural person (i.e. the data subject).

Personal data can include location data, a name, medical information or social or economic information which can be used to help identify said natural person. Put simply, personal data is information that relates to an individual.

The GDPR covers the processing of this data in several ways, including wholly or partly automated processing, or personal data being processed in a wholly non-automated manner, such as in the case of paper recording being used as part of a ‘filing system’.

Does GDPR Cover Paper Records?

To offer the greatest level of protection, one of the objectives of the GDPR was to be “technologically neutral” and not dependant of techniques used in the processing of data.

If you are holding or processing personal data in the form of paper records, as part of a ‘filing system’, as opposed to an ‘unstructured paper record’, this is not covered by the GDPR specifically, but is covered, for example, by the UK’s Data Protection Act (DPA 2018) with the aim of ensuring appropriate protections for possible Freedom of Information Act 2000 related requests and adequate protections for the data rights of citizens.

Structured vs Unstructured

Though this all may sound a little confusing, it is worth understanding how this translates to your organisation.

A structured set of personal data needs to be ‘accessible according to specific criteria’, for example a filing cabinet where specific information can be looked up and accessed; whereas unstructured would describe loose documents scattered across a desk, or physical notes not arranged in a manner intended for later categorisation or search.

Importantly, though how personal data is being stored makes the applicability of the GDPR debatable, the UK’s DPA 2018 should always be considered when handling, storing, or processing personal data in any format or manner.

Protecting Personal Data

As the UK’s Information Commissioner’s Office points out, personal data “only includes paper records if you plan to put them on a computer (or other digital device) or file them in an organised way.

“If you are a public authority, all paper records are technically included – but you will be exempt from most of the usual data protection rules for unfiled papers and notes.”

Though there may be many nuances to the applicability of the GDPR to various formats of personal data, the answer to the question ‘does GDPR cover paper records?’ should be widely regarded as yes.