Late last year, the ICO prosecuted a London pharmacy for its poor paper record storage. We look at storing paper records under GDPR and offer top tips to small businesses to ensure you are compliant.
The pharmacy in question kept patient data at the back of its premises in old, unlocked crates. An estimated 500,000 documents were stored there, some of which were water-damaged because they weren’t protected from weather. The company was fined £275,000 and received national press coverage for being the first company fined for breaching GDPR rules.
The documents were no longer needed but hadn’t been securely destroyed. They contained detailed medical information and the ICO determined that the company had failed to consider the risks of the data processing being carried out.
Top tips for better paper record storage
Only keep what you need
The company had over 2 years’ worth of records – and no written reason to keep them for that long. If you don’t need to hold on to sensitive paper records, then shred them as soon as you’ve finished with the documents.
Store paper records safely
The way the documents were stored was a huge concern to the ICO. Although the storage area had locked gates, the crates themselves were unlocked and not weather resistant. If these records were important, they should have been kept in a secure, dry place.
Review your archives
It’s easy for old document storage archives to build up. It can take extra work to review and discard of older stuff you don’t need any more and many of us have a ‘keep it just in case’ approach. Make sure you have a clear system that helps you to work out when to destroy older records. Your data retention policy should be clear on how long you’ll keep documents.
There are several other lessons from this fine, and the ICO has clearly stated it expects ‘special category’ data to be treated with the utmost care.
If you’re unsure about how you’re keeping old paper records, contact us and see how Astrid can help your small business.
Find out more about the ICO’s prosecution of a London pharmacy.
Protect your business - become and remain GDPR compliant with Astrid
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.