Data security requirements in the Data Protection Act 1998 require that suitable “technical and organisational” measures are taken to protect personal data. Understandably, the emphasis for data controllers is often on technical protection but physical security and the protection of paper records containing personal data is equally important.
It is a good idea to operate a clear desk policy for papers in order to reduce the risks of unauthorised access, loss of, and damage to personal information on paper which could occur during or outside working hours.
The policy a data controller puts in place should reference the most commonly accessed paper records and recognise where sensitive or confidential financial information may be put at risk.
The effectiveness of any such policy is, of course, dependent on suitable facilities such as lockable cabinets and secure waste disposal being available in all relevant areas.
These controls could be included in a clear desk policy:
- Any letters, printed emails, cheques or other paperwork containing personal data should be put away in a file when not in use during the working day
- The printing of material (e.g. emails) which contains personal data should be minimised
- At night the files containing personal data should be stored in an area protected by secure door entry points
- Sensitive, personal or private & confidential information should be locked away in a lockable cabinet or lockable desk drawers at all times
- Sensitive, personal or private & confidential information should be removed from printers and faxes immediately
- General work areas and meeting rooms should be cleared of paperwork containing personal data every evening before vacating the office
- All desk areas should be cleared of paperwork containing personal data every evening before vacating the area and left clear
- Any personal data which is not required to be retained should be shredded or disposed of in confidential waste bins
- Individual user PCs and computer terminals should not be left logged on when unattended and should be protected by key locks and password controls
- Individual user PCs and computer terminals should be shutdown and switched off at the end of the working day. Laptops should be locked in a secure lockable cabinet overnight
Published September 2014
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.