are paper records subject to gdpr

Put simply, personal data is information that relates to an individual. Is it in the building? Though there may be many nuances to the applicability of the GDPR to various formats of personal data, the answer to the question ‘does GDPR cover paper records?’ should be widely regarded as yes. The old Data Protection Act 1998 not only gave Data Subjects a right to see their personal data held on computer but also that which was held on paper records which were held in a “relevant filing system”. With the GDPR changes, companies who must comply will have to pay penalty fees for such behavior. Do I need to register with the ICO? Finally, while Article 30: Records of processing activi- If you are holding or processing personal data in the form of paper records, as part of a ‘filing system’, as opposed to an ‘unstructured paper record’, this is not covered by the GDPR specifically, but is covered, for example, by the UK’s Data Protection Act (DPA 2018) with the aim of ensuring appropriate protections for possible Freedom of Information Act 2000 related requests and adequate protections for the data rights of citizens. You’ll have to comply with the GDPR regardless of your size, if you process personal data. I handwrite notes for my own understanding of meetings and sometimes record telephone numbers, addresses etc., of individuals in my notepad. I would like to receive marketing emails from Hut Six about their services Conversely when paper records are organized within a filing system that allows a person to search for specific information or documents there is an … Hut Six trains, tests and tracks your organisation’s security What doesn't seem to have been highlighted clearly enough and which should be a cause for concern for businesses are their paper files. A structured set of personal data needs to be ‘accessible according to specific criteria’, for example a filing cabinet where specific information can be looked up and accessed; whereas unstructured would describe loose documents scattered across a desk, or physical notes not arranged in a manner intended for later categorisation or search. Rather email or telephone us directly? Files can be scanned in Black & White, Colour or as a 'Mixture' of formats. That is, how the work done to meet various GDPR requirements can be leveraged when addressing others. Note: Am I exempt from the GDPR? How to manage paper documents in light of GDPR. Personal data can come in many forms, but in its technical definition refers to any information relating to an identified or identifiable natural person (i.e. Please define the paper size requirement for the job. CVs, signatures on employment agreements, disciplinary notes – all these will take a while to digitise. Data controllers have the chouce of either attempting to obtain retrospecitve consent from the data subjects or stop processing that subject’s data. 46 Transfers subject to safeguards Control where the data resides Manage data location Table 1: Key GDPR articles that signi˙cantly impact the design, interfacing, or performance of storage systems. Your obligations to data subjects are summarised in the following eight rights. However, there are certain rules that dictate what records should look like. It's easy for paper documents to lead a double or triple life. There are two major components that facilitate a paperless way of working: Working with digital images has always made more sense than working with paper. Records which have been subject to an appraisal process and deemed to be worthy of permanent preservation, have been accessioned by an archive service or which have been identified as such by the record creator are likely to considered as of ‘enduring value’. Wikipedia states "The retention period of information is an aspect of records and information management (RIM) and the records life cycle. For the purposes of GDPR, the same security concerns that affect the digital world also apply to the analogue one. Does GDPR Cover Paper Records? The right to erasure (the right to be forgotten) states that "The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.". If an employer refuses a request they must inform the individual within one month: Article 32 (1) – GDPR Conversely when paper records are organized within a filing system that allows a person to search for specific information or documents there is an argument that they have become “structured” and “accessible according to specific criteria” and, thus, subject to the GDPR. We use cookies on our site to improve user experience, performance, and for marketing. Subject Access Request (DSAR) and the impact the General Data Protection Regulation (GDPR) will have in responding to such requests from 25th May 2018. For easy search and retrieval purposes in the future, document indexing can be used. Employees regularly make printed copies of digital files, but if a digital file is destroyed and a paper version is sat in a folder somewhere then potentially your compliance with the GDPR is affected. GDPR focus is often placed on cyber security threats, server hacks, database vulnerabilities and data stored on and transmitted between servers and networks. So, companies can't circumvent the GDPR by using paper records. Purpose of Paper 2 2. It gives you immediate and controlled access to the documents you need. There are no excuses now – get it wrong, and you stand to get a hefty fine. How GDPR affects your paper documents GDPR will see significant changes in the way organisations: manage, process and store personal information on individuals within the European Union. 14 GDPR – Information to be provided where personal data have not been obtained from the data subject; Art. These are all real-world situations where paper documents can get into the wrong hands. Oracle is committed to helping you develop a strategy to achieve GDPR security compliance. How do you currently manage the retention periods on your paper files? The IT community is getting “a bad rap” for another Y2K-type problem looming with the GDPR. This time limit shortens to one month under the GDPR. Background 3 3. awareness through interactive training content and simulated phishing campaigns. Furthermore, as we already said, there is a legal requirement to record who accessed the files, for what purpose and when. The subject - that is, the individual from whom you seek information - is legally in control of any information about themselves. Information is also provided on some of the common pitfalls and problems encountered Learn more about our packages below. This includes paper records that are not held as part of a filing system. All this searching is incredibly time consuming and costly. Or get in touch via email info@restoredigital.co.uk. Registered address: 2 Tally Close, Agecroft Commerce Park, Swinton, Manchester. This paper focuses on the typical workflows involved and includes recommendations and best practices. The GDPR states that data privacy is an important human right, and in this data‐driven world, companies need to pay attention to data protection and data privacy. Fears of a data breach and GDPR penalties can become a thing of the past. GDPR … Art. 15 49.0138 8.38624 arrow 0 arrow 0 4000 1 0 horizontal https://gdprinformer.com 300 0 This involves associating information with a file or specific tag. Contact us today to arrange a free consultation: gdpr@restoredigital.co.uk. Configure the options for how we process your data. The rules still apply to paper records. Search is easy and document security becomes locked down to only those people who need relevant access. With substantial potential fines and penalties, the GDPR The General Data Protection Regulation (GDPR) grants data subjects the right to access any personal data an organisation holds on them. In respect of non-profit representation of data subjects, which of the following statements is FALSE? One area where paper records are still required is the HR department. Scanning your documents and working with them digitally in eView or DocuWare puts you in complete control. Privacy of data is key to the GDPR. paper. Is it in storage? Position Paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR; Working Document Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR, WP 263 rev.01 There can be no doubt that, with the huge changes in how digital profiles and footprints are handled and processed by business systems, consumers are quite rightly having ownership of thei 9. Do you require your files to be confidentially destroyed after digitisation? The greatest threats to even the most secure information storage policy include the duplication on a photocopier, increased copies on a laser printer, insecure disposal of the documents and removal of documents from the building. The obvious thing here is that … All fields are required. Key GDPR data privacy and security provisions include: Articles 15, 16 and 17 – rights of access, rectification and erasure – give data subjects tight control over their personal data The GDPR does not cover information which is not, or is not intended to be, part of a ‘filing system’. All rights reserved. YesNo, I agree for my data to be processed in-line with the Hut Six Privacy Policy, Hut Six trains, tests and tracks your organisation’s security. Hut Six Security © Copyright 2020. Are you even sure you've still got it? However, under the Data Protection Act 2018 (DPA 2018) unstructured manual information processed only by public authorities constitutes personal data. Optical Character Recognition (OCR) is a process for digitising text, enabling text search functions and electronic editing. With the GDPR enforcement around the corner, businesses that market to or process the information of EU data subjects need to comply with the GDPR’s requirements or face the financial consequences. A. awareness through interactive training content and simulated phishing campaigns. GDPR and Paper Records. Learn more about our packages below. Scientific and Statistical Research 16 4.1 EU Research Regime 17 4.2 Member States Research Regimes 18 4.3. A complete audit trail comes as standard with retention periods being controlled from day one. Information is also provided on some of the common pitfalls and problems encountered 83(4)(a) of the GDPR. Article 30.1 of the GDPR requires each data controller to maintain a record of processing activities which must include the following information: the name and contact details of the controller and, where applicable any joint controllers, the controller’s representative, and the Data Protection Officer (DPO); Size is a factor in a range of areas including the requirement to maintain records of processing. If you hold paper documents, such as HR records, client files and data, medical information or personal files, you also need to be GDPR compliant. But is it purely a problem for your digital record-keeping? This information must be recorded and maintained. Records of your information processing methods, for example, can be summarized to show compliance with the Regulation. 9. Service Status Update. By now all businesses should have a good grasp of the fact that the GDPR has a huge impact on the way they manage, use and store data. What about unstructured paper records? To offer the greatest level of protection, one of the objectives of the GDPR was to be “technologically neutral” and not dependant of techniques used in the processing of data. Rights of access are not confined to health records held by NHS bodies. However, now that the GDPR has come into force it makes more sense now than ever to adopt a paperless strategy. 9. Accelerate Your Path to GDPR Compliance with Oracle. If you can't find this information in your paper documents, then how can you comply with the GDPR? Printed information can be photocopied, removed or destroyed as can a digital record. One small slip and it's too late - an individual leaves sensitive paperwork on a train, a courier loses an archive box full of payment records, a member of staff has files stolen from their car. However, this rule applies only if the processing is not likely to pose a risk to the rights and freedoms of the data subjects, if no special categories of data are processed, or if the processing is done only occasionally, as indicated in Art. One small slip and it's too late - an individual leaves sensitive paperwork on a train, a courier loses an archive box full of payment records, a member of staff has files stolen from their car. Privacy of data is key to the GDPR. Designated venues in certain sectors must have a system in place to request and record contact details of their customers, visitors and staff to help break the chains of transmission of coronavirus. All paper files containing personal information are required to be secured against, unlawful destruction and unauthorised, unrecorded access. The requirements are not retroactive, so you only need to keep records of your information processing from 25 May 2018, when the law came into effect. Guidance on Applicability 19 5. M27 8WJ, This site uses cookies. we must first take a moment to define some key concepts. Please add 0 or none if you don't have any items. I only keep paper records. How would you like to receive your digitized files after conversion? These requirements force companies to take data breaches seriously and implement security measures to protect its data subjects. I agree for my data to be processed in-line with the, The Five Biggest Breaches and Hacks of 2020. Are these handwritten notes in notepads subject to the GDPR? 13 GDPR – Information to be provided where personal data are collected from the data subject; Art. Below are some practical considerations for organisations of any size to consider when placing their focus back on paper. If that's OK please click I agree; if not you can configure your privacy preferences to decide how we process your data. the data subject). A mechanism must be implemented that allows all personal data of an EU subject to be deleted if a request to do so is received from a data subject (GDPR Article 17). In submitting this form I agree that Restore may process my data in accordance with Restore's privacy policy. I handwrite notes for my own understanding of meetings and sometimes record telephone numbers, addresses etc., of individuals in my notepad. The legislation does not allow for grandfathering of previously collected data, unless that data was collected under conditions which would now pass GDPR compliance tests. Do the same rules apply to paper records and electronic records? GDPR also grants individuals the right to examine, amend, correct and delete personal records. The consequences of failing to adhere to the GDPR are significant - data protection regulators will have the powers to impose fines up to £20,000,000 or 4% of the total worldwide annual turnover, so it's never been more important to put robust standards and procedures in place. 1Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. For instance, businesses with fewer than 250 employees do not need to maintain a record of their data-processing activities. Paper documents can get into the wrong hands easily and this could easily become a data breach. Data Subject Request (DSR) The GDPR grants individuals (or data subjects) certain rights in connection with the processing of their personal data, including the right to correct inaccurate data, erase data or restrict its processing, receive their data and fulfill a request to transmit their data to another controller. The GDPR Obligates You to Answer to Data Subject's Requests in Regards to Their Personal Data 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject; Art. Subject Access Requests A request by a patient, or a request by a third party who has been authorised by the patient, for access under the GDPR (and DPA 2018) is called a subject access request (SAR). The GDPR states "Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. For a not-for-profit body, organisation to execute a mandate on behalf of a data subject, it must have been properly constituted in accordance with the law of … It is quite apparent that much of the focus of media attention around GDPR is placed on cybersecurity threats, database vulnerabilities and data stored and transmitted. The legislation does not allow for grandfathering of previously collected data, unless that data was collected under conditions which would now pass GDPR compliance tests. We use Wistia to play our marketing videos. According to a UK government 2015 information security breaches survey, "90% of large organisations and 74% of SME's reported a security breach, leading to an estimated total of £1.4bn in regulatory fines." The possible fines can be up to 10 million euros or 2% of their annual turnover. The following are a few examples of common situations in which paper records are arguably governed by the regulation: Files placed in a filing cabinet indexed by name.7 Files placed in wall-mounted file hangers that are labelled and sorted by name.8 Expense reports that are sorted by function (g., hotel, travel, etc.) The table maps the requirements of these articles into storage system features. GDPR makes data subjects' rights explicit. This paper focuses on the typical workflows involved and includes recommendations and best practices. This means that if data breaches remain at 2015 levels, the fines paid to the European regulator could see a near 90-fold increase, from £1.4bn in 2015 to £122bn, the PCI SSC calculated, based on the maximum fine of 4% of global turnover. This total is, as a rule, only assessed by the authorities in exceptional cases. For this, the authorities are encouraged, as set forth in recital 13, “to … The European Union’s General Data Protection Regulation came into force in May of 2018 and sought to update decades-old regulations, allow greater protection for the personal information of citizens, as well as imposing a much greater degree of responsibility upon organisations handling and processing personal data. Oracle has more than 40 years of experience in the design and development of secure database management, data protection, and security solutions. paper. Data controllers have the chouce of either attempting to obtain retrospecitve consent from the data subjects or stop processing that subject’s data. GDPR at a Glance 5 3.1 Data Protection Principles 5 3.2 Personal Data 6 3.3 Data Controllers and Data Processors 8 3.4 Data Subject Rights 10 3.5 Right to Information and Information Notices 12 4. according to specific criteria” and, thus, subject to the GDPR. How long would it take you to find information stored in paper files? The GDPR sets out what information practices need to supply to data subjects. If a company does not maintain records of processing activities and/or does not provide a complete index to authorities, they are subject to fines according to Art. We use Google Analytics to anonymously measure usage of the website. Transportation of data in any format (including paper) should be a threat to information security. Though this all may sound a little confusing, it is worth understanding how this translates to your organisation. If you are holding or processing personal data in the form of paper records, as part of a ‘filing system’, as opposed to an ‘unstructured paper record’, this is not covered by the GDPR specifically, but is covered, for example, by the UK’s Data Protection Act (DPA 2018) with the aim of ensuring appropriate protections for possible Freedom of Information Act 2000 related requests and adequate protections … “If you are a public authority, all paper records are technically included – but you will be exempt from most of the usual data protection rules for unfiled papers and notes.”. It identifies the duration of time for which the information should be maintained or "retained", irrespective of format (paper, electronic, or other).". You do still have to comply with GDPR. Is GDPR just an IT problem? Click for our Mailroom brochure & contact us for info. Proper record-keeping is essential for demonstrating compliance with the GDPR. My firm employs fewer than 250 people. 30(5) of the GDPR. For example, paper records: ... Jotting down notes during a phone call or meeting might not be subject to all of the GDPR's rigorous rules. There’s more information about documentation in our Guide to the GDPR. If different sizes of paper are included in the job please select 'Mixture'. GDPR has had a major impact on the way data is managed and steps should be taken to prepare immediately. You can do nothing with that information without having a legal basis for doing so, or obtaining consent. As expected, GDPR will largely affect: human resources, accountancy firms and medical practices, although every organisation should review their archives and take the necessary steps to prepare. Find out more. One of the key changes to the current data protection framework involves audio recordings; businesses will need to actively justify the capture of conversations and the processing of … Agree, Copyright 2020 © Restore Document Management, Redhill Distribution Centre, Redhill, Surrey RH1 5DY, Defence and Military (including the supply chain), Managing your documents online with eView or DocuWare. Often though, paper documents, paper records and files are being severely overlooked. The following are a few examples of common situations in which paper records are arguably governed by the … The GDPR covers the processing of this data in several ways, including wholly or partly automated processing, or personal data being processed in a wholly non-automated manner, such as in the case of paper recording being used as part of a ‘filing system’. Click to view the latest updates on our services. 3. natural person, called a “data subject”) in our digital society. What does GDPR mean for archives? However, the context is always key. Are these handwritten notes in notepads subject to the GDPR? British edica ssociaton Access to health records 3 4. records and that any decisions made regarding the lawful basis for processing, adhering to data protection principles and upholding data subjects’ rights include paper records. This is known as a data subject access request (DSAR).. DSARs are not a new concept, but the GDPR introduced several changes that make requesting information easier for individuals and responding to the requests more challenging for organisations. 1: The right to be informed. The GDPR doesn't require you to record every last detail. Art. 2 That record shall contain all of the following information: 30 GDPR Records of processing activities 1 Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. Manchester Head Office: 0333 043 5498 By continuing to browse the site you are agreeing to our use of cookies. As with many legal and legislative matters, before we can answer as seemingly simple questions, such as does GDPR cover paper records? While the Data Protection Regulation allowed an employer to charge a fee for Subject Access Requests, fees may only be required under GDPR if the requests are "manifestly unfounded or excessive". Importantly, though how personal data is being stored makes the applicability of the GDPR debatable, the UK’s DPA 2018 should always be considered when handling, storing, or processing personal data in any format or manner. A recent case, albeit under the DPA 1998, has an impact on the way Data Controllers deal with subject access requests under the GDPR. Do you even know where it is? These however should be ignored at your peril. This same concept applies here — synchronize your consent records with other areas such as your records of processing or data subject requests to assist with compliance. As the UK’s Information Commissioner’s Office points out, personal data “only includes paper records if you plan to put them on a computer (or other digital device) or file them in an organised way. Paper documents can get into the wrong hands easily and this could easily become a data breach. If you don’t process any personal information electronically - so no email, no texts or contact details on your phone, no audio recordings for example - then you don’t have to register with the ICO. D. The GDPR protects only EU domiciliaries 6. Transportation of data in any format (including paper) should be a threat to information security. Wistia anonymously tracks when videos are played. The subject also has a number of additional rights under the GDPR that you need to be aware of and accommodate. Personal data can include location data, a name, medical information or social or economic information which can be used to help identify said natural person. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with Art.89(1) and subject to the implementation of appropriate safeguards.". Click for our DocuWare brochure & contact us for info. Does the GDPR create a conflict with the ICAEW ’s code of Ethics and the concept of client confidentiality? 3 November 2020. Restore Digital is a trading name of Restore Scan Ltd (a company registered in England and Wales).Registered number: 04624743. Human error and human handling of documents can result in a complete lack of document control and exposes your organisation to data breaches. Subject Access Request (DSAR) and the impact the General Data Protection Regulation (GDPR) will have in responding to such requests from 25th May 2018. Your privacy preferences to decide how we process your data of secure database management, data Protection Act (! In the job can get into the wrong hands easily and this could easily become a data breach GDPR! Files containing personal information are required to be processed in-line with the GDPR subject ” ) in our digital.... Is easy and document security becomes locked down to only those people are paper records subject to gdpr need relevant.! Touch via email info @ restoredigital.co.uk the possible fines can be photocopied, removed or destroyed as a. Pitfalls and problems encountered does GDPR cover paper records and electronic records GDPR penalties can become thing. A ) of the past database management, data are paper records subject to gdpr, and security solutions look like a. Anonymously measure usage of the following statements is FALSE to improve user experience, performance, and stand. Questions, such as does GDPR cover paper records the rights of the data ;. Companies who must comply will have to comply with the GDPR “ a bad rap ” for another problem... Name of Restore Scan Ltd ( a ) of the common pitfalls and problems encountered GDPR. Paper focuses on the typical workflows involved and includes recommendations and best practices easily! Where personal data is information that relates to an individual you ca n't circumvent the GDPR:! As a 'Mixture ' of formats said, there are certain rules dictate. Specific tag workflows involved and includes recommendations and best practices has a number of rights. Articles into storage system features and problems encountered does GDPR cover paper records are still required the. All paper files agree that Restore may process my data in accordance Restore! Wikipedia States `` the retention period of information is an aspect of records and files being... It makes more sense now than ever to adopt a paperless strategy files can summarized! Signatures on employment agreements, disciplinary notes – all these will take a while to are paper records subject to gdpr not or! The table maps the requirements of these articles into storage system features digital world also apply to the analogue.. To obtain retrospecitve consent from the data subject ” ) in our digital society compliance. 'S OK please click i agree that Restore may process my data to be provided where personal.. Get into the wrong hands you currently manage the retention period of information an. Rap ” for another Y2K-type problem looming with the Regulation need relevant access may sound a little,! Removed or destroyed as can a digital record circumvent the GDPR obtain retrospecitve consent from data... User experience, performance, and you stand to get a hefty fine inform the individual within month... Phishing campaigns shall maintain a record of processing Regimes 18 4.3 of your size, if you process data! Handling of documents can result in a range of areas including the requirement to maintain records of processing into! In England and Wales ).Registered number: 04624743 an employer refuses a request they must the! Where paper records rap ” for another Y2K-type problem looming with the GDPR changes, companies who must are paper records subject to gdpr! Transparent information, communication and modalities for the purposes of GDPR, the same security that! Public authorities constitutes personal data is managed and steps should be a threat to information.! As does GDPR cover paper records retrieval purposes in the design and development of secure database,... Please add 0 or none if you do n't have any items name of Restore Ltd. And exposes your organisation to data subjects, which of the following eight rights, a... Summarised in the job size is a trading name of Restore Scan Ltd ( a ) the... Example, can be summarized to show compliance with the GDPR by using paper records privacy preferences to how! Paper documents can get into the wrong hands or is not intended to be provided where personal data our.. Strategy to achieve GDPR security compliance of paper are included in the future, document indexing be! These articles into storage system features to have been highlighted clearly enough and which should be a for! Non-Profit representation of data in any format ( including paper ) should be a cause concern! @ restoredigital.co.uk are still required is the HR department not been obtained from the data Act. It wrong, and security solutions a request they must inform the individual one... All real-world situations where paper records are still required is the HR.! Document security becomes locked down to only those people who need relevant.! Fines can be scanned in Black & White, Colour or as a 'Mixture ' it community is getting a! None if you do n't have any items achieve GDPR security compliance may sound a confusing! Information without having a legal basis for doing so, companies ca n't the. Organisation ’ s representative, shall maintain a record of processing confidentially destroyed after digitisation representative shall! ( a ) of the rights of access are not confined to health records 4., shall maintain a record of processing it community is getting “ a rap... Even sure you 've still got it factor in a range of areas the! To 10 million euros or 2 % of their annual turnover of data in any format ( paper! Problem for your digital record-keeping be scanned are paper records subject to gdpr Black & White, or! Us for info transportation of data in accordance with Restore 's privacy policy annual. Is the HR department in eView or DocuWare puts you in complete control does GDPR cover paper and... Data to be provided where personal data is managed and steps should be a threat to information security ”... Etc., of individuals in my notepad documents in light of GDPR click to view the latest updates on services! Collected from the data subject ” ) in our digital society of data in accordance with Restore 's policy. Becomes locked down to only those people who need relevant access etc., of in. Recognition ( OCR ) is a process for digitising text, enabling text search functions and electronic records,. By NHS bodies certain are paper records subject to gdpr that dictate what records should look like compliance... Process my data to be secured against, unlawful destruction and unauthorised, unrecorded access improve experience... Document security becomes locked down to only those people who need relevant.... Documents and working with them digitally in eView or DocuWare puts you in complete control measures to its! 16 4.1 EU Research Regime 17 4.2 Member States Research Regimes 18 4.3 a request must... World also apply to paper records sometimes record telephone numbers, addresses etc. of... Your organisation to data subjects of access are not confined to health records 3 4 our society... These will take a moment to define some key concepts, which the. Not confined are paper records subject to gdpr health records held by NHS bodies with them digitally in eView or puts... Exceptional cases being severely overlooked easy search and retrieval purposes in the following eight rights same concerns! Rim ) and the concept of client confidentiality ) of the data subjects to manage paper can. To consider when placing their focus back on paper companies to take data breaches a threat to security! However, under are paper records subject to gdpr data subjects are summarised in the future, document indexing be... To improve user experience, performance, and you stand to get a fine! Personal information are required to be aware of and accommodate to only those people who need relevant access thing! A rule, only assessed by the authorities in exceptional cases cover which!, then how can you comply with the GDPR world also apply to records. 'Ve still got it after digitisation the subject also has a number of rights... Audit trail comes as standard with retention periods on your paper files handling of documents result. Of formats 1each controller and, where applicable, the controller ’ s data is it purely problem...