GDPR is just a few days away! And the deluge of emails from long-forgotten mailing lists shows no signs of stopping …
There’s no need to panic though. Very few organisations are likely to be fully compliant by the 25 May. The Information Commissioner’s Office after all emphasises that the 25 May is the start not the end of a process. Oh, and that the frenzy of emails seeking consent is not necessarily – necessary.
Anyway, with help from our project archivist and the ICO’s excellent website, I have completed our data audit and come up with an action plan to make sure our service will comply with the Data Protection Bill.
Our archive collections are (probably) covered by an important derogation (schedule 2, part 6 of the Bill). This allows personal data to be processed without requiring consent where necessary for “archiving purposes in the public interest”. This phrase has not been seen in data protection law before the Bill. What does it mean and which archives/collections are covered?
Unfortunately the answer is not simple. The phrase is not defined in the GDPR itself. An associated recital, 158, may imply that its coverage is limited to services with a legal obligation to acquire, preserve, [etc.] records. This is troubling. What about universities and other organisations who collect for other reasons, which are equally valid and resulting in public benefit?
An answer to a question in Parliament is reassuring: Matt Hancock, the relevant Secretary of State, said on 3 November 2017: “We want to reassure bona fide archiving services that they will be able to continue to process personal data for the purposes of archiving in the public interest, regardless of whether they have a statutory obligation to do so.” He pointed out that the recital is not a law, and that most UK archives operate in a “permissive” rather than statutory way, possibly unlike those elsewhere in the EU.
I’d suggest that archives can demonstrate their bona fides by following professional practice, offering public access, working towards Archives Accreditation, creating effective policies, and striving to tackle hidden collections. All the good stuff we should be doing anyway!
Other than this uncertainty, the provision for “archiving” is good news. Archive activities were not well covered under the Data Protection Act: we had to rely on provision for “historical research”. This was never very satisfactory. An awful lot of research in archives is not “historical”. Now there is an explicit justification for archives holding personal data for all kinds of research.
The derogation does not however apply to management records kept by an archive or library for management purposes e.g. contact details of collections donors or enquirers. Services need to audit what they keep to make sure they stay legal. We’ve now mapped the personal data we gather for these purposes, under the following headings:
- What kind of data?
- Where is it kept?
- Why is it kept? Do we actually need it?
- If so, what is the lawful basis for keeping it? Note that consent is only one of the six lawful bases.
- How long will we keep it – and why (retention period)?
- What do you need to do to bring the data you have into line with the law? e.g. dispose of material older than a certain date.
As well as the ICO’s website, you might also find the following resources useful:
- The National Archives is creating new guidance for archivists. You can help!
- Shedding Light on #GDPR, by Naomi Korn. Myths busted!
- CILIP’s GDPR page featuring downloadable guide by Naomi Korn.
Wishing you all a Great Day: Privacy Rules!