NEWS – “without comment”
Personal Planning Systems and GDPR – Are You Getting It Right? Probably Not.
Published on February 11, 2022
David Palmer CIPI FCILEx
Looking to Teach Time Management to Law Enforcement Professionals. Author ‘Police Time Management’, ‘The Three Resolutions’ and ‘The Way – Integrity On Purpose’.
Please note that while the following has been drafted following consultation with the Information Commissioners Office, it is to be taken as the opinion of the author alone.
I recently (accidentally) started a debate on a LinkedIn group. It started out as a request for input on why some people sent themselves e-mails which automatically appeared on their OneNote/Evernote/”Other ‘Notes’ are available” lists. I couldn’t understand why, given the portability-across-devices technology that exists, they didn’t just write a note directly onto the list.. The debate went on for a while.
Anyway, I was walking my dog one morning, mulling the aforementioned debate, and about one chap who’d mentioned he kept two retrieval systems – one at work, one at home – and he’d frequently send himself e-mails from one context to the other, which is why he did the double-noting.
And then it occurred to me that the General Data Protection Regulation (GDPR) might influence what we are, what we could be, what we can’t be and what we should be, doing – or at least considering – in all of this. Turned out to be an interesting question.
When David Allen wrote ‘Getting Things Done’, and when Stephen R. Covey, A. Roger Merrill and Barbara Merrill wrote ‘First Things First’, things were different. Hardly anyone had a home PC. Mobile telephony consisted of call, texts and that snake game. Data Protection (in Europe) existed but didn’t apply to paper. And regardless of the legal requirements, 99% of the World wouldn’t have understood the applicable data rules in any case.
This situation had two effects. Firstly, no one thought that keeping work stuff and personal stuff separate was necessary, so the aforementioned authors’ suggestion that you possess ONE system for everything in your life wasn’t a problem. But secondly and in contrast, there was a distinct divide between work and home, so if you worked regular hours and had a separate work diary, it wasn’t that much of an issue. Back in 1999/2000 you walked out of one world and entered the other as directed. The boundaries were clear, and so the distinct activities could safely go into one system or two systems (provided you carried them both).
But it’s 2022, now, and you are routinely available 24/7 to work or family regardless of where you actually are and what you are actually doing. So the argument now must be that the most effective self-planning method IS to have one planning system.
But along comes GDPR – never mentioned in time management/productivity tomes – and suddenly one system containing everything has the potential to become a legal problem. If I keep work-related personal data in a personal system, would I breach the law? And if I keep personal stuff on a work computer, would I be laying my employer open to a fine for inappropriate retention of data they should never hold, and which they didn’t even know they were holding?
(Experts on GDPR – I know there are exemptions and defences, but I’m being general, here.)
Before I continue, please note that GDPR only relates to personal data – basically, data from which an individual can be identified. Your own data? Well, you can consent to putting it wherever you like. Data that doesn’t or couldn’t identify someone also can be placed, stored and fiddled with anywhere. But if you put work-related appointments into your diary and name the person with whom you have that appointment (and personal onto work systems) – well, where do you stand?
I made an enquiry with the Information Commissioner’s Office to find out. I asked:
1. What, if any, are the rules/guidance regarding use of a personal system (predominantly paper but stretching to personal mobile devices) for work related planning?
2. I believe there was a time when paper-based systems were exempt from DP rules. I also believe that changed in/after 1998 but wonder if you could confirm the specifics applicable at this time.
Basically, I was concerned that (for example) putting an appointment in a personal planning system (digital or paper) with an ‘identified party’ might be a breach of GDPR. I wasn’t concerned about other documentation – that would already be covered by GDPR and could be added and removed from a paper system as required. (As opposed to me printing a file and keeping it for ever, for example. Not recommended or allowed.)
The ICO responded that “GDPR covers the processing (obtaining, holding, using or dissemination) of personal data in two ways:
· Personal data processed wholly or partly by automated means (that is in electronic form); and
· personal data processed in a non-automated manner, which forms part of or is intended to form part of a ‘filing system (that is, manual information in a filing system)’ (but see Public authorities, post)
My initial interpretation of this paragraph was that
· A digital planning system, is always covered by GDPR. So using a personal digital system e.g. mobile device, for recording personal data that was obtained for work purposes may be inadvisable, even potentially in breach of DP laws – though not automatically. It depends on whether there are suitable controls – again, see post. If it’s a device provided by your workplace, it’s already covered by your employer’s GDPR responsibilities.
· But your personal paper planning system, as it is NOT intended to be part of a filing system, is arguably exempt from GDPR.
However, I still had one concern, so I called the local ICO office and queried whether a personal planning system of the FranklinCovey/Daytimer/Filofax et al type would be a filing systems since it is searchable by dates, indexes, etc. That resulted in a “I’ll need to do further research” and a further telephone conference.
The conversation was very interesting, helpful and informative. The following advice is the result of that call. It pertains, in the main, to a paper-planner user, but is equally applicable for all you young digi-lovers.
The ICO did suggest that if you used your personal planner (paper) for work planning, then it could come under the ‘filing system’ definition under very unspecific, case-by-case circumstances, and it will always come under GDPR if you work for a public authority, whether it’s organised or not.
They also stated that one test for establishing whether your paper personal planner should be GDPR compliant is called the Temp Test. The question is: If you disappeared, could a temporary employee easily find personal information in your planner without having to read it all the way through? They stated that a purely chronological diary would probably escape GDPR scrutiny because the information is only organised chronologically. Which meant that…
A planner of the FranklinCovey/Daytimer/Filofax etc type, with the facility to index conversations and effectively create a ‘master retrieval’ system (if you wanted it to) would need to be GDPR compliant if used for planning work, if that planning included the recording of personal data. If you had a training course and planned that, no problem. If you had a meeting with James Bland, tel 01234 56789 in his home at 123 High Street, Sleaford – then you are now recording personal data, for work, in a personal planner.
In essence their advice would be to treat any personal data as though it was covered. (This is the case when any planner is being used for work purposes, regardless of whether it’s covered. If its use is purely domestic, it won’t be in scope of DP laws.)
They also stated that “the UK GDPR does NOT necessarily prohibit using a personal planning system for this (work-related planning) but it is important there are controls and policies in place to govern this.” Those controls include having a policy in the workplace for using a personal planner for work purposes, so that the employee can use their personal planner in accordance with that policy.
(This creates a personal privacy, ‘who owns the planner?’ question that is too big for this article.)
Finally, the Information Commissioner’s Office felt that there was also a common sense approach to the situation, and following that discussion this is my advice, and it is a practice I used when I was policing and using a personal paper planning system (and which therefore should have been subject to a data policy!).
1. Use a loose-leaf system into and from which relevant paper can be added and removed, so that it can be removed and filed where it is legal and appropriate to file it, once it is finished with. Don’t keep it in your personal system longer than needed. Your possession of it in your capacity as an employee is obviously permitted, but if it’s in your personal planner, remove it once it is no longer necessary to hold onto it.
2. Refer to individuals by initials or, perhaps better but more fiddly, a code name. That way their data is technically either untraceable, or just plain impossible to compromise.
3. List appointments in pencil so you know they are coming, but erase them once they’ve taken place, after which what you did is entered into your ‘work’ system anyway. For example, I would make an appointment with a witness ‘FB’ at whatever address and telephone number, and enter it into my planner in pencil. Once I’d taken their statement, I’d erase that entry and the relevant paperwork would go into the GDPR-registered and compliant systems at work. The ICO considered this a sensible and, more importantly, practical approach. I would add that the temporary nature of such an entry is prima facie evidence it was never intended to be a permanent record for filing or retrieval.
4. Avoid detailing what the appointment is about. It really isn’t necessary to note that in a personal planner.
5. Don’t use your personal mobile phone for work planning if that planning includes retention of personal data, unless your employer authorises and is aware of the practice.
6. Paper or digital, make sure your employer knows you’re using your personal system in this fashion so that they can create a policy around it.
Of course, all of this means that you now have to return to the question of whether you need separate planning systems for work planning and for personal planning, but my reading of the rules, following consultation, seems to suggest you won’t need two systems if you go paper and follow the six suggestions, above. But if you work in a public capacity, your paper planning system is always covered by information rights laws.
Of course, Someone else might take a different view – let’s hear it, but with authoritative references, please.
And I would also be very interested in hearing about your thoughts on what, if anything, this means for paper planning in the 21st century.
The ICO advice on ‘filing systems’ can be found at https://ico.org.uk/media/for-organisations/documents/1592/relevant_filing_systems_faq.pdf
Link to Article: Personal Planning Systems and GDPR – Are You Getting It Right? Probably Not. | LinkedIn
With thanks to David Palmer, the Author for consent to repost