Case Study: The Forgotten External Storage Container Full of Personal Data

"We know there are some old records in storage, but we're not entirely sure what's in them."

This is a statement we hear surprisingly often.  The following case study is based on issues commonly encountered during data protection and records management reviews.

The Situation

A medium-sized organisation occupied offices that had been refurbished several times over the years.  As departments moved locations and filing systems became digitised, historic paper records were boxed and transferred to an off-site storage provider.  The arrangement had existed for more than fifteen years.  The organisation paid a monthly storage fee, but there was limited oversight of what records were being retained or why.  When a data protection review was commissioned, management believed the organisation held only a small archive of historical documents.

The reality proved very different.

What Was Found

An inventory exercise identified more than 400 archive boxes held within storage containers managed by a third-party storage company.

The contents included:

• Former employee files
• Recruitment records
• Client correspondence
• Complaint files
• Financial records
• Medical and occupational health information
• Disciplinary and grievance documentation

Some records dated back more than twenty years.  Many contained highly sensitive personal information.  In several cases, nobody within the organisation knew the records still existed.

The GDPR Problem

The issue was not that the records were held by a storage company.

Using a third-party archive provider is perfectly legitimate and common business practice.

The problem was that the organisation could not answer fundamental questions:

• What personal data was being stored?
• Why was it being retained?
• Who was responsible for it?
• How long should it be kept?
• When had it last been reviewed?

The organisation had effectively outsourced storage but not management.  Under UK GDPR, responsibility for personal data remains with the organisation, even when records are held by a third party.

The Subject Access Request Risk

The problem became particularly apparent when the organisation received a Subject Access Request from a former employee.

The request required searches of historical records.

Unfortunately, nobody knew which boxes might contain relevant information.

The organisation faced:

• Significant retrieval costs
• Delays in locating records
• Uncertainty about the completeness of searches
• Difficulties meeting statutory deadlines

What initially appeared to be a straightforward request became a major compliance exercise.

The Retention Issue

The review identified another concern.

Many records had exceeded the organisation's own retention periods years earlier.

Some recruitment files related to unsuccessful candidates from more than a decade ago.

Historic personnel records had been retained long after any legal or operational need could be identified.

The organisation had continued paying to store records that it no longer had a lawful reason to retain.

From a GDPR perspective, this raised concerns regarding the storage limitation principle.

Who Owned the Problem?

One of the most interesting findings was that no single person appeared responsible for the archive.

• Human Resources assumed Facilities managed it.
• Facilities assumed Compliance managed it.
• Compliance assumed departments reviewed their own records.

In practice, nobody had ownership.  The archive had become an organisational blind spot.

The Solution

The organisation implemented a structured records management programme, this included:

1. Creating a Full Inventory - Every archive box was identified and categorised.
2. Assigning Ownership - Each category of records was allocated to a responsible department.
3. Reviewing Retention Requirements - Records were assessed against legal, regulatory and operational retention requirements.
4. Secure Disposal - Thousands of records that no longer needed to be retained were securely destroyed.
5. Updating Records of Processing Activities - The archive was formally documented within the organisation's information governance framework.
6. Establishing Regular Reviews - A recurring review process was introduced to prevent future accumulation.

Lessons Learned

The most important lesson was that off-site storage does not remove accountability.  Many organisations assume archived records are low risk because they are rarely accessed.

In reality, forgotten records can create significant compliance challenges.  Personal data stored in archive containers remains subject to the same GDPR obligations as information held on a live system.  If an organisation cannot explain what is stored, why it is being retained and who is responsible for it, the risks can quickly multiply.

Conclusion

Off-site storage facilities provide a valuable service for organisations with limited space. However, they should never become a substitute for records management.

The question is not whether archived records are stored securely.

The more important question is whether the organisation understands what is stored there in the first place.

For many organisations, the greatest data protection risk is not the information they use every day.

It is the information they forgot they had.