Six month countdown to data protection crisis begins…

UK-based public and private sector organisations are facing a data protection crisis that will affect the way they store paper based files, warns KPMG. In six months time, the ‘Transitional Relief’ exemption that applied to files created prior to the Data Protection Act 1998 (DPA) will come to an end.

Many private and public sector organisations have retained paper files that reference personally identifiable information. Where these files were collected prior to October 1998, and used thereafter, they have previously not been affected by the strict compliance obligations of the DPA.

Those organisations with significant amounts of paper based records will struggle to comply with simple requests from members of the public who want to know who has access to their personal data, whether it is accurate and confirmation that it is stored securely. Failure to supply this information within 40 days will breach the DPA and could damage the organisation’s reputation.

In the public sector, such paper based records could include health, education and social work records, while in the private sector, personnel, pension and customer files may be affected.

“At a time when identify theft is a growing problem, custodians of our personal information hold a position of trust”, says Steve Kenny, Privacy Services Leader with KPMG. “We are concerned that many organisations have not grasped the potential scale of this problem. Companies need to understand very quickly how exposed they are, before the relief period comes to an end. Worryingly, many internal audit and compliance functions may have let this slip off the radar."

The majority of large organisations will have computer based systems for the management of new data, however many will have a legacy of old information that is difficult to manage.

Kenny has the following advice for organisations that are concerned about the end of the transitional relief period:
* Establish what paper records exist, where they are stored, and whether you are relying upon transitional relief as its compliance approach
* Ascertain if the files contain personal data such as names, National Insurance numbers or customer addresses
* Don’t get bogged down in legal definitions of ‘relevant filing systems’. This is an ambiguous concept, so apply a common sense test – do these paper files contain personal data – if they do then action will need to be taken.

Kenny concludes: “Transitional relief is one of the least well publicised aspects of the Data Protection Act. If companies are relying upon it, it’s a question of when, not if, they need to get their houses in order. Transitional relief is primarily an issue for compliance functions, but internal audit also has a role to play – namely ascertaining if management has appropriately tested for reliance on transitional relief, and if such a reliance has been detected, is management’s response appropriate in light of heightened awareness of privacy and data protection risks?”

www.kpmg.co.uk

•Date: 26th April 2007 • Region: UK •Type: Article •Topic: Operational risk
Rate this article or make a comment - click here