Data protection regulation does not just apply to electronically processes personal data, but is applies in certain circumstances to paper based, manual, filing systems – previously know as “relevant filing systems” under the Data Protection Act 1998.

The Data protection Act 2018, which is reflective of Article 4(6) of the GDPR, defines a filing system as:

any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.

Section 3 (7) Data Protection Act 2018

The meaning of what “structured” data has evolved with time. Under the Data Protection Act 1998 it was generally considered that the main characteristics of a “relevant filing system” were that it was structured according to individuals and/or the ready accessibility of specific information, and was interpreted relatively restrictively – this general understanding has been refined and expanded.

In July 2018 the Grand Chamber of the Court of Justice of the European Union (CJEU) ruled on the meaning of a “filing systems” under Directive 95/46 (which was enacted in the UK as the 1998 Data Protection Act, namely the pre-GDPR rules). The case related to the collection of documentary data by Jehovah Witnesses. The Court found as follows:

57 As is clear from recitals 15 and 27 of Directive 95/46, the content of a filing system must be structured in order to allow easy access to personal data. Furthermore, although Article 2(c) of that directive does not set out the criteria according to which that filing system must be structured, it is clear from those recitals that those criteria must be ‘relat[ed] to individuals’. Therefore, it appears that the requirement that the set of personal data must be ‘structured according to specific criteria’ is simply intended to enable personal data to be easily retrieved.

…

62 …the answer … is that Article 2(c) of Directive 95/46 must be interpreted as meaning that the concept of a ‘filing system’, referred to by that provision, covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.

Tietosuojavaltuutettu (Case C-25/17)

Structured Data

The decision in Tietosuojavaltuutettu was affirmed in the case of Dawson-Damer v Taylor Wessing [2019] EWHC 1258 (Ch), ( in relation to the 1998 Data Protection Act) where the High Court stated the following:

I reject the submission …. that as a result of re Tietosuojavaltuutettu , the sole criterion is whether the personal data relating to a particular person can be “easily retrieved”. That issue is not to be examined in isolation. I accept the submission … that if one looks at [57] and [62] of re Tietosuojavaltuutettu, there are three separate and cumulative elements required:
(i) The data must be structured by reference to specific criteria;
(ii) The criteria must be “related to individuals”;
(iii) The specific criteria must enable the data to be easily retrieved.

Damer v Taylor Wessing [2019] EWHC 1258 (Ch)

Chronological Filing System

The Court fund that the previous ruling in the case of Durant had been too restrictive when it had required for a filing system to include a “structured referencing mechanism, containing a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file specific criteria or information about the applicant can be readily located.”

The Court decided that a files arranged in a chronological order, namely not expressly by individuals, could be consider a filing system. The Court found that sorting through a chronologically ordered systems did not place an undue burden on a data controller:

The files in question are arranged in chronological order. It will require someone to turn the pages of the file in order to locate the personal data….In my judgment that is not unduly onerous and enables any personal data relating to the Claimants to be easily retrieved.

Damer v Taylor Wessing [2019] EWHC 1258 (Ch)

The Court found that Durant had been decided before the right to the protection of personal data was enshrined as a fundamental EU right. The Court stated that since then, “the perspective is different. The focus is on the need for protection of the data subject, as opposed to the burden on the data controller.”