GDPR & Posting
Interested in what other firms are doing when it comes to posting documents to clients that contain 'personal data' to meet GDPR rules e.g. suitability reports, application forms etc. Will you be using:
1. Normal postal services e.g. 1st/2nd class
2. Royal Mail Recorded Delivery
3. Royal Mail Special Delivery
1. Normal postal services e.g. 1st/2nd class
2. Royal Mail Recorded Delivery
3. Royal Mail Special Delivery
Jonny (paraflex)
Comments
Gone will be the days of partially completing an application for a client!
Sending something by post can be "assumed" secure as it is illegal to open post not addressed to you without legitimate reason.
@benjaminfabi I'm not sure it does as I also can't find anything specific from ICO referencing sending personal data via post as @arongunningham also observes. However, the compliance feedback we're getting seems to be pointing in the direction of sending everything via special delivery.
Interesting point @Jona re assumed secure stance. Anything you can point me in the direction of to back that up?
Does anyone have any information from a reputable source confirming one way or the other?
Don't have any sources. But our GDPR training was tongue-in-cheek suggesting that we're taking a turn back to using the postal system (assuming, therefore, it's null and void of the new regulation)?
I've had a think about this and I'm not going to change our postage - same as it was. The reason it's raised it's head is that we have to report the breach to the ICO in the event of this happening. I'm going to go with us being as sure as we can be with ensuring that the address is correct, and if we report it, then we've done everything we can.
@parawhat
Perhaps you could suggest that your compliance team take a pay cut equal to the cost increases that result from special delivery on everything?
I agree with Jona.
https://www.legislation.gov.uk/ukpga/2000/26/part/V/crossheading/offences-of-interfering-with-the-mail
The easy solution to this is to have an explicit opt in to standard 1st/2nd class post as a communication method on your client agreement.
@benjaminfabi Haha!
Thinking this through. If something went missing in the post, say a suitability report and application pack that contained multiple instances of 'personal data' (some potentially sensitive), would that be reportable as a breach under GDPR rules? It seems open to interpretation whether this needs to be reported as ICO say:
"What breaches do we need to notify the ICO about?
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it."
Would having sent something by recorded/special delivery result in less scrutiny and/or a lesser fine (if it ever came to that) from the ICO because we had obviously done all we could to send the data securely?
On a slight tangent - how about emailing providers a client's LOA - should that be secure now?
This is about the only reference I can find from the ICO regarding sending personal data by post. It's a little old (2014), but it is basically saying postal services aren't data processors and therefore the data controller (i.e. the IFA firm) would be responsible for any loss of that post. See para 35 & 38:
transfer personal data is the party responsible for the data. If a
delivery service loses a parcel containing highly sensitive
personal data, it is the data controller that sent the data that
will be responsible for the loss. It was the data controller that
chose to use the delivery service. If it was vital that the
personal data was delivered securely, the data controller should
have used secure delivery rather than an ordinary postal
service.
https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf
Assuming the above is still the case post GDPR, the question then becomes what are the risks (monetary, regulatory, reputational etc) if a piece of post goes missing resulting in a breach. Would the ICO take a harsher view if normal post was used rather than recorded/special delivery?
I suppose another question is how secure is recorded/special vs standard post and what % of each goes missing.
Maybe we just need to add a "data security" filter to our research to only consider firms / products who accept digital signatures / online processing - then the post issue goes away....?