I’ve written a lot here about the use of outsourced providers when processing personal data electronically but it is important to remember that the Data Protection Acts apply equally to “manual data” – data about an identifiable person that exists in a hard copy form.
The “chain of tools” analogy applies here just as much as it does to the processing of personal data electronically. You need to be sure you have done due diligence and the ‘outsourcee’ (the service provider) needs to understand their obligations re: security and protection of personal data.
A common scenario where personal data is being processed in manual form is when a letter is being sent either by post or by courier.
A courier is a Data Processor within the meaning of the Data Protection Acts. Therefore, in addition to the duty of care they owe to ensure the security of packages entrusted to them, they also owe a duty of care to ensure that the personal data associated with those packages is not processed for any other purpose other than ensuring the safe delivery of the item in a timely manner.
Organisations (i.e. Data Controllers) using Courier companies should ensure that they have a contract with the courier is in writing that includes terms that prohibit any such secondary processing without their authority and also, ideally, provides a requirement to track and confirm delivery. This is particularly important if the packages you are sending also consist of personal data or sensitive personal data – as Data Controller you have to make sure you know where the data is.
Should a courier lose a package, particularly one containing personal data, then a breach of the Data Protection Acts has occurred and the Data Controller is responsible unless a chain of reasonable precautions re: security and control of the data can be demonstrated.
Under the Code of Practice for Data Security Breaches, the Data Controller or the Courier might also have to alert the Data Protection Commissioner of the loss and, at a minimum, must keep a log of the reported loss and non-delivery of the items.
An Post (the Post Office)
The use of the Irish postal system is governed by Statutory regulations which are overseen by ComReg. These regulations, in effect, form the basis of the contract between any user of the postal service and An Post. These regulations set targets for timeliness of mail delivery. (84% delivery within Ireland within 1 day) In addition, the 1983 Postal & Telecommunications Services Act has explicit terms regarding (amongst other things)
- the opening of post,
- disclosing the existence of or contents of an item of post or
- using for any purpose information obtained from a postal packet
A number of exemptions exist which are very similar in wording and intent to the exemptions that exist in the Data Protection Acts re: lawful processing and lawful disclosure.
So, the legislation and ancillary regulations provide a contract in writing that provides assurances re standards of security etc. related to the Postal system.
Of course, An Post is still a Data Processor and as such if a letter or “postal packet” is lost in transit they and the Data Controller would have to notify the Data Protection Commissioner if large numbers of letters went astray, or if a single letter containing lots of personal data about lots of people went astray.
Which is why it is important if you are sending personal data (other than just the name and address of the addressee) through the postal system that you should consider sending it Registered Post or Recorded Delivery – after all it is an asset with monetary value and you should treat it as such. It is also the only way you will be able to get an independent record of delivery.
Sending the letter in the first place…
Of course, the discussion and debate about whether Courier is preferable to Post Office is a moot one if you haven’t actually obtained the names and addresses you intend to use fairly and the use of the data for communicating by post is consistent with the stated purposes for which you have originally obtained the information.
Using the postal system or Couriers to deliver letters or parcels on your behalf by necessity involves the engagement of a Data Processor. Organisations need to ensure that they are applying the same due diligence to their use of partners to process and deliver letters, particularly where those letters contain yet more personal data.
However, the Data Protection Acts 1988 and 2003 do not prevent organisations from actually communicating by post or courier, so long as they are processing the personal data in keeping with their specified purposes for gathering personal data in the first place.