Security of the information


Paper Format

In the registration of the day

Written by Daniel Fernández-Viagas Gallego.

DPD / DPO certified according to AEPD-DPD scheme.

Auditor ISO 27001: 2013 Information Security.

Since the publication of Royal Decree Law 8/2019 of March 8, much has been written about the changes that it meant for companies. Due to its importance and expectation, we highlight the modification of art. 34 of the Workers ‘Statute, which requires companies to carry out a daily check in and out of their workers’ working hours. It is not something new for many organizations, but certainly for others it has been a significant change in the way they proceed.

The guide issued by the Ministry of Labor indicates that any system or medium will be valid, either on paper or telematic support, capable of fulfilling the legal objective, that provides reliable, unchangeable information and not subsequently manipulable by the employer or by the employer. employee.
After the commotion and initial confusion, companies and organizations considered various ways to register on a day-to-day basis, the vast majority coming to a conclusion, using paper. Current statistics show that it is the most widely used format, the reasons are obvious, it is economical, it is not necessary to implement or acquire any application, it is not necessary to learn any technique and it seems simple, but is it really so?
In these lines we do not question the legal validity of the registration system of the paper day, in view of a possible requirement of the Labor Authority, or we address it from the point of view of information security and its privacy.
It does not escape anyone that printing a template and signing a minimum daily twice, requires time and attention by a person in charge, in addition to its conservation and to be attentive to the particularities of each worker (absences, leave, permits, changes of shift … etc). The paper system multiplies its difficulty for every employee we have, it may seem economical, but the time invested generates an expense, we must not lose sight of this point.
Over the months, we will begin to detect other problems, since the records must remain available for 4 years, therefore, we must establish a file and a system to keep them available to the Authority, new difficulties.
So, if we are doing it on paper, signing daily, and keeping everything in an AZ, there is no problem, right? Well, let’s analyze the basic principles of information security:
Confidentiality, integrity and availability.


By con fi dentiality we understand the quality of the information so as not to be disclosed to unauthorized persons. It is basically the property by which that information will only be accessible with proper authorization and control. We have to think, therefore, that a person in charge of administration will be authorized, or the person in charge of taking turns and schedules, but, should the rest of the partners know the information? The answer is simple, no. The privacy according to the GDPR is by default, so that when designing a table or part of signatures, I must take into account that if there is any annotation or incidence, it should not be known by the rest of the workers. That a partner is late, it is obvious that he can be known by the rest of his companions, but what should not be public are the reasons for being late. Be careful with this, in the long run it can be a source of conflicts. If all workers are signing in the same part of the signatures, it is very likely that sooner or later we will violate privacy.


Possibly the most important point in the registration of the working day. Integrity refers to the quality of the information to be correct and not have been modified, keeping your data exactly as it was generated, without manipulation or alteration by third parties. This integrity is lost when the information is modified or when part of it is lost. Crossed out records, premarked hours, or having a signed Monday part of the whole week is a loss of integrity, perhaps, what we most detect to date. Imagine that a Labor Inspector shows up at your company and asks for the records, the workers have already signed all week, bad situation, of course. Nor does it seem very reliable that all parties are at the exact same time every day, we can be very punctual, but of course the impression is that the registration is not correct.


Availability is to be able to access information when we need it. The paper may be available in a filing cabinet, but are we making copies or digitizing? Having to keep the record 4 years is likely that a document can be lost, so making copies is essential in these cases. Unfortunately, factors such as fire, theft or other disasters may mean that we do not have our information when required, digitalization becomes a priority.


What does the guide of the Ministry of Labor, Migration and
Social Security?

The requirement that they remain available must be interpreted as meaning that they can be accessed at any time they are requested.
by the workers, their representatives or the Labor and Social Security Inspection, guaranteeing the employer their compliance, which will be consistent with the registration system used. This obligation is established directly and expressly in the Law and therefore cannot be conditioned in any case.
In this sense, that the records “will remain available” must be interpreted as being and remaining physically in the workplace, or be immediately accessible from it. This also avoids the possibility of subsequent creation, manipulation or alteration of the records.
In conclusion, paper can be a valid system, but we must balance the cost of time and effort involved in doing it correctly. If we take care of other security measures to protect the documentation, the company should have limited access to authorized people to its file, as well as having a “clean tables” procedure, something not very frequent in the current scenario. It may not seem important now, but after the necessary time we will have to destroy the information, by the principle of data quality and by the limitation of the treatment. Yes, the data has an expiration date. That is, at 4 years we will consider a problem, what do I do with the paper records? If you have thought about throwing them directly into a container, please do not do so, at least if you do not want to have a problem with the Spanish Agency for Data Protection.
As you have seen in this article, this requirement, as much of the regulations that companies must comply with, is based on having an internal management system in place, knowing what we should do and who is responsible for doing it. As easy and as difficult as that.