13. Record Keeping & Archiving by Data Processors
Particular attention must be given to a formal Archive Retention Policy in respect of security management records maintained by security guarding service providers. This may be in the form of paper or electronic documents including the daily occurrence book (DOB) and dedicated records such as visitor logs, accident book, lost property register, key register etc.
An effective solution would be for the data controller to provide a secure cloud based electronic management information system covering these issues. The data processor should have password protected access as an administrator to maintain records and the data controller should have a password allowing ‘read only’ access. The records should auto delete upon expiry of a justifiable archive period unless flagged to be kept for a longer period, e.g. if there is an ongoing legal case or police investigation which justifies the materials being kept beyond 6 years.
It is important that both parties continue to have access to the records in the event that the contract with the data processor is terminated. Upon termination the data processor’s access rights should become ‘read only’ unless the data processor has another lawful ground for processing the personal data.
Under data protection legislation both parties have responsibility for the ‘custody’ of the documents containing personal data.
The data controller needs to ensure that the data processor adequately protects the records. The data controller typically satisfies this duty by ensuring the commercial contract between it and the data processor obliges the data processor to store the data in accordance with data protection legislation – (subject to any additional practical requirements).
The data processor has an independent obligation to process (including to store/archive) the documents in accordance with data protection legislation. The data processor also has a contractual obligation to comply with the data controller’s instructions under the contract between it and the data controller.
The data controller must have unrestricted access to the records subject to (if necessary) the data processor first checking the identity of the individual making the request on behalf of the data controller. In the case of electronic record keeping this would be achieved by password authentication.