We've recently had more than one breach reported where physical files have got lost in the post.
In such cases, the sender remains the data controller and is responsible for ensuring that the optimum data security measures are in place during transfer. Where possible, consider whether a physical drop-off (and get a receipt) is a more secure option.
We are recommending the following robust procedure for physical file transfers using mail delivery services:
- Assemble all data for transfer securely (especially if involving child-protection files)
- Make a copy of data to be transferred (we recommend scanning and storing securely)
- Double-bag the files to be transferred. This protects from damage and also unauthorised opening
- This means insert in an inner envelope first
- Write the recipient name and address on the envelope. Do not use a label that may come off
- Make sure that you include your sender name and address
- Mark clearly if the content is for the DSL's eyes only
- Close, and secure this package
- Place this envelope in another envelope
- Write the recipient name and address on the outer envelope. Do not use a label that may come off. (Though Royal Mail technically don't require an address on special delivery packages (they print a label), write in on anyway to ensure it gets to the correct location and recipient at the destination)
- Make sure that you include your sender name and address
- Mark clearly if the content is for the DSL's eyes only
- Close, and secure this package
- This means insert in an inner envelope first
- Send the file by secure courier or Royal Mail Special Delivery. Special Delivery is the most secure transit if using Royal Mail. Recorded Delivery is not secure, nor tracked throughout its journey.
- Confirm receipt by the recipient
- Destroy any copies made that you no longer require once the file has been transferred only when the recipient has confirmed delivery.
If for any reason the data goes missing in transit, please note that this is a breach that must be logged by the sender. Royal Mail is not a typical data processor, despite it handling data - because it should never see the data in it's possession. Rather it is a data controller as it decides on how the data is processed, but that data is limited to the names and address used to transfer mail. It is also a data controller of the data relating to employment details etc.
This is the relevant section from the ICO guidance on data controllers and processors:
Mail delivery services
33. A courier service is contracted by a local hospital to deliver envelopes containing patients’ medical records to other health service institutions. The courier service is in physical possession of the mail but may not open it to access any personal data or other content.
34. A mail delivery service will not generally process personal data, even if it does physically hold the personal data contained in a letter sent using its services. Processing personal data, including holding it, implies a degree of access to or ability to control or use the data itself, not just physical possession of the letters or parcels that contain the data. The term ‘holding’, as used in the definition of ‘processing’, implies considerably more than simply being in possession of a physical object that contains personal data.
35. This means that the mail delivery service is neither a data controller nor a data processor for the clients that use its services because:
- it is a mere conduit between the sender of the mail and its recipient;
- it does not exercise any control over the purpose for which the personal data in the items of mail entrusted to it is used; and
- it has no control over the content of the personal data entrusted to it.
36. This makes sense in practice because it would be unreasonable to expect a mail delivery service that has no control over the content of the mail items it delivers to comply with the data protection principles. For example it would not be able to ensure that personal data in its possession is accurate, up to date or held only for so long as it necessary. It cannot have data protection responsibility for personal data contained in an item of mail. It is merely responsible for the security of the letter or parcel in a physical sense.
37. The fact that the delivery service does not act as a controller for the mail it has been asked to deliver – even if the content is personal data - means that the ICO cannot take any action against the delivery service. Also the fact that the delivery service is not a data processor means there is no need for clients using its services to put a data controller – data processor contract in place.
38. The data controller that chooses to use a delivery service to transfer personal data is the party responsible for the data. If a delivery service loses a parcel containing highly sensitive personal data, it is the data controller that sent the data that will be responsible for the loss. It was the data controller that chose to use the delivery service. If it was vital that the personal data was delivered securely, the data controller should have used secure delivery rather than an ordinary postal service.
39. However, the delivery service will be a data controller in its own right in respect of any data it holds to arrange delivery or tracking for example, such as individual senders’ and recipients’ names and addresses and in respect of its own staff records and so forth.