Failing to have even a simple Document Scanning Policy in place leaves your business open to all sorts of problems. Without such a policy you could at best be leaving sensitive business information available for all to see and at worst could be breaching UK GDPR regulations.
What does a Document Scanning Policy cover?
If – like most of the businesses and non-profits we support – you need to scan in paper documents in order to store or send them on in digital form then you really need to adopt a formal Document Scanning Policy (DSP) to which the users of your IT system should all adhere to. The policy should cover the who, how, and why of document scanning and should also cover what happens to the digital files and paper documents once they have been scanned. A scanning policy will vary between businesses depending upon the nature of your business but regardless of what the policy is you should at least have one and this should be supported by the IT team.
What happens when you do not have a Document Scanning Policy?
If you need some convincing, here are three real world examples of what we’ve seen happen when customers have no Document Scanning Policy in place:
Example 1 – Badly configured scan folders leave sensitive documents accessible to anyone.
It is our experience that when small business customers have large format multi function printers delivered they rely on the printer supplier rather than the IT provider to set up the scanning features. What this usually results in is a situation where scans are saved into the same network location (so anyone can access all the scans easily) or where each person has their own scans folder but these folders are not locked down with suitable restrictions (so anyone with an enquiring mind can look in other users scan folders). The result is that sensitive business documents can become easily accessible to anyone that wants to access them.
Example 2 – Taking photographs of documents, rather than using a proper scanner, is an easy way to breach UK GDPR regulations.
Where customers do not publish a formal Document Scanning Policy we often see users bypass the features of a scanner and take photographs of a document with their mobile phone and email it to themselves, rather than use a proper scanner. Regardless of the reasons why this happens, it’s a great recipe for a data breach, particularly if it’s not a business phone. In this scenario the document in question gets saved into your employees personal photographs library, then it gets saved into your employees personal email account, and thereafter could even get compromised (for example if their own systems get compromised) or viewed by any member of their household if they have access to their mobile phone. To avoid this problem, network scanners should be used as far as possible but if use of a mobile phone camera is allowed we recommend it must only be allowed on business mobiles. See this article on why we do not recommend use of personal mobiles for businesses.
Example 3 – Just like paper files, digital files need to be dealt with properly.
Assuming your scanning process is secure and users are consistently using the company mandated scanner for their scans, they’ll need to think about what to do with all those files. As these files have the potential for storing sensitive data then the files must be managed in an appropriate way. If for example all of the files are simply left in a folder with names like scan001.jpg, scan002.jpg, scan003.jpg, you have no way of knowing what is in these files without opening them individually. Like all documents they should be managed properly. Files should – for example – be renamed to something sensible, perhaps a project number or could be moved into a folder pertaining to a specific customer. If you fail to properly manage this kind of data then – if you get a subject access request – you will be unable to fulfil your legal obligations – another failure to meet UK GDPR.
What should be in your Document Scanning Policy?
Every business is different and so you’ll need to spend some time thinking about this internally, but it should cover the following topics:
- When a new scanner is purchased, the IT team should be called in to set up the device to include the scan to folder features rather than allowing the third party printer supplier to do so.
- When a new user is employed, a scan to folder entry should be set up as part of the user onboarding procedure, again a task that must be undertaken by the IT team.
- The scan folders should be set up so each user has their own scan folder and the permissions set up in such a way that nobody else can see what that person has in their scans folder.
- You should set a policy that covers whether users are allowed to use mobile phone cameras to digitise files or whether they should always use the scanners provided. If the policy is not adhered to, what are the consequences?
- You should have clear guidance in place that explains how files should be renamed after they have been scanned and more importantly where they are to be stored so they are accessible only to staff that need access to them.
- Assuming a document has been scanned, what is going to happen to the paper version? Will it be filed and where, or will it be destroyed, and how?
- Some documents may become evidence in legal proceedings, so will you need the paper documents or are the documents scanned to a suitable standard to become admissible in court?
- When a user leaves the business, the user off-boarding procedure should address what happens with the users scans if they have not been properly filed and the scan to folder entry deleted.
- If you have members of staff that are visually impaired, do you need software installed to allow visually impaired staff to read these scanned files with a screen reader or Brailler?
- Are some users printing our digital documents and then rescanning them? This is a waste of paper, toner, time and energy. Users might simply need training to avoid this.
These are just some examples of what needs to be explored when setting your own Document Scanning Policy – if you need help in setting policy please call IT Norwich Ltd on 01603 554000.