What is a ‘filing system’ under EU data protection law?
The scope of EU data protection law expands beyond information in electronic form to cover non-automated processing of personal data which forms part of, or is intended to form part of, a ‘filing system’.
Article 2 (1) of GDPR states:
“This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”
By expanding beyond data in electronic form, GDPR prevents situations where data protection law could be by-passed by keeping information in paper form during a particular stage of processing. For example, the rules that apply to cross-border data transfers cannot be by-passed by exporting information in paper form as part of a filing system which then can be transferred into electronic form once outside the borders of the European Union.
Under GDPR, a filing system is “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis” (GDPR Article 4.6). This provision broadly defines the concept of filing system, in particular by referring to ‘any’ structured set of personal data. The content of a filing system must be structured in order to allow easy access to personal data. Although GDPR does not set out the criteria according to which that filing system must be structured, it is clear from the recitals that those criteria must be ‘relat[ed] to individuals’.
Un-structured paper records are outside of the scope of EU data protection law but the line between structured and unstructured filing systems in practice can be blurry.
The seminal CJEU case on what constitutes a filing system is Jehovan Todistajat v. Tietosuojavaltuutettu (Jehovan). This case was decided before GDPR went into effect but its findings equally apply today. The question at issue in the case was whether concept of a ‘filing system’ covered a set of personal data collected in the course of door-to-door preaching, consisting of names and addresses as well as other information concerning persons contacted, if those data may, in practice, be easily retrieved for later use, or whether, in order to be covered by that definition, that set of data must include data sheets, specific lists or other search methods.
Under Jehovan, “the requirement that the set of personal data must be ‘structured according to specific criteria’ is simply intended to enable personal data to be easily retrieved.” Apart from that requirement, the law does not “lay down the practical means by which a filing system is be structured or the form in which it is to be presented. In particular, it does not follow from that provision, or from any other provision of that directive, that the personal data at issue must be contained in data sheets or specific lists or in another search method, in order to establish the existence of a filing system within the meaning of that directive.”
“In the present case, it is clear from the findings of the referring court that the data collected in the course of the door-to-door preaching at issue in the main proceedings are collected as a memory aid, on the basis of an allocation by geographical sector, in order to facilitate the organisation of subsequent visits to persons who have already been contacted. They include not only information relating to the content of conversations concerning the beliefs of the person contacted, but also his name and address. Furthermore, those data, or at least a part of them, are used to draw up lists kept by the congregations of the Jehovah’s Witnesses Community of persons who no longer wish to receive visits by members who engage in the preaching of that community.
Thus, it appears that the personal data collected in the course of the door-to-door preaching at issue in the main proceedings are structured according to criteria chosen in accordance with the objective pursued by that collection, which is to prepare for subsequent visits and to keep lists of persons who no longer wish to be contacted. Thus, as it is apparent from the order for reference, those criteria, among which are the name and address of persons contacted, their beliefs or their wish not to receive further visits, are chosen so that they enable data relating to specific persons to be easily retrieved.
In that connection, the specific criterion and the specific form in which the set of personal data collected by each of the members who engage in preaching is actually structured is irrelevant, so long as that set of data makes it possible for the data relating to a specific person who has been contacted to be easily retrieved, which is however for the referring court to ascertain in the light of all the circumstances of the case in the main proceedings.”
Jehovan, paragraphs 59, 60, and 61.
Therefore, the concept of a ‘filing system’, covers data structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. It is not necessary that they include data sheets, specific lists or other search methods.
The ICO has provided some guidance on how to do the analysis (summarized in the graphic below) and has suggested that applying the “temp test” could be helpful.
Under the “temp test”, if a temporary administrative assistant (a ‘temp’) could extract specific information about an individual from manual records without any particular knowledge of the type of work or documents you held, such system would be considered a ‘filing system’.
The ‘temp test’ assumes that a temp is reasonably competent and only requires a short introduction, explanation and/or operating manual on the particular filing system in question before using it
“Temp test” example:
John Smith is your employee. He requests details of leave he took in the last six months. You have a collection of personnel files; these files each hold a single category of information:
(a) If there is a file named “Employees’ Leave” with alphabetical dividers by last name, a temp would have no difficulty in finding the leave record of John Smith behind the “S” divider. This file forms part of a relevant filing system.
(b) If there is a file named “John Smith” with all personnel records for John Smith, a temp would have no difficulty in finding the leave record of John Smith in this file. This is a relevant filing system.
(c) There is a file named “John Smith” in a set of files that contain the leave record of all employees. Details of leave are recorded on standard forms filed in chronological order within the separate files for each employee. A temp would have no difficulty in finding John Smith’s leave record. This is a relevant filing system.
Alternatively you may only maintain one set of manual files for each employee with multiple categories of information, held in alphabetical order using individuals’ names as the file title. If all the information you hold about an individual is simply added to the file in chronological order (whether it relates to his employment record, complaints raised by him, his records as client of your organization, letters received from him, etc.), the set will not be a relevant filing system. A temp would need to plow through all the different categories of information on John Smith’s file to find the specific information needed.