Every school probably has one. In fact, every business that has been around for more than a few decades probably has one. We’re talking about the cupboard, filing cabinet or storage unit that is full of documents that somebody thought were important enough to hold onto long ago, but now nobody really has any idea what is in there – and nobody is brave enough to face it!
Hopefully you won’t do anything as silly like a certain County Council who left files containing sensitive information about children in a cabinet that was dispatched to a second-hand shop – a charitable gesture that cost them a hefty £60,000 fine - but the new rules expect you to be able to easily find what information you’re holding, and that includes everything in those old cupboards and cabinets.
Right to be forgotten
Under GDPR, individuals will also have the right to be forgotten, also known as ‘data erasure’. Where the personal data is no longer required for its original purpose, their consent has been withdrawn or they object to the processing, an individual can demand that the processing is stopped and all their personal data is erased.
If somebody gets in touch with you on 26 May asking for their data to be deleted, will you be able to find it?
Under GDPR they do not have to have a reason to request deletion. The onus is on the data processer to prove that there is a valid reason to continue processing this information, otherwise that data needs to ensure that it is deleted without delay. This can obviously become very tricky if you know they probably have personal data somewhere in a cupboard or filing cabinet, but you don’t know exactly where.
How Many Copies Of Your Documents Exist?
Maybe you made a few photocopies of somebody’s CV ahead of an interview and they’ve since tucked it in a bottom drawer somewhere. Perhaps a document with private data was sent to a shared printer and picked up by the wrong person without you knowing, so you printed it again.
Despite our best efforts, paper can easily multiply and go awry. A key element of GDPR training will be making sure everybody at your organisation knows exactly what to do with paper documents that contain personal data and to ensure that proper destruction techniques are adhered to at all times.
Get scanning, go paperless
Remember, if you can’t come up with a good, legal reason to have data you shouldn’t keep it. Depending on how big your document collection is, it might mean a long afternoon at the shredder for somebody, but once 25 May rolls around you’ll be glad you did it!
Dealing with these old documents is a good starting point for fully establishing how you deal with physical data, how you file it and how it is stored. It’s also a great excuse to move towards making your school entirely paperless, something which Groupcall can certainly help you with!
After all, the easiest way to be safe from the perils of paper is to not have any at all.