On 25 May 2018, new data protection legislation came into force that affected all organisations, including community archives. This is called GDPR (General Data Protection Regulation). There are some notes about GDPR below, with links to further information.
The primary source of information and guidance about GDPR is the website of the Information Commissioner. See: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Some aspects of the legislation relating to personal data held in archives in the UK is still under review. You can find out more about this below.
Though we hope that the pointers below are helpful, the Community Archives and Heritage Group is not able to provide definitive or legal advice about GDPR. Like most other organisations, we are trying to interpret the guidance that is available to understand the implications for our sector.
We held a question and answer session about GDPR at the Community Archives conference in 2018.
The information below is in three sections:
What is personal data?
Personal data includes any information that would allow an individual to be identified. This includes name, address and e-mail. It can also include some types of photo (such as a passport photo), and more general information, which when combined with other information, could lead to the person’s identity being established (such as occupation, salary or health history). Note that the law on personal data only applies to the data of living people.
What is data protection?
Data protection sets out a number of rules for the management of personal data. This covers everything from how organisations collect information, through to how they store the data and when they should delete it. Personal data collected must be processed fairly, lawfully, securely and with regard to the rights of individuals. The current UK law is the Data Protection Act 1998.
What is GDPR?
GDPR is new. It is a new European Law for the management of personal data. It was developed through EU member state negotiation (2012 – 2016). Currently all EU member states are in a 2 year lead in period before the law goes live in May 2018. For the UK this means replacement of the Data Protection Act of 1998.
Why does it apply to the UK?
Although the Brexit process is under way the terms of Article 50 mean that as an EU member state in May 2018 UK is subject to this law. The advice from the UK’s Information Commissioner is that the GDPR will be a benchmark.
What are the differences in the new regulation?
The new regulations impose more duties on organisations to strengthen the rights of individuals and to protect their personal data.
It’s worth distinguishing between two types of personal data that community archives collect:
- Personal data which is part of your archive (e.g. letters, documents or photos related to living people)
- Personal data you collect as part of the process of running a small organisation (e.g. collecting names for a mailing-list, event bookings, membership lists etc.)
1. Personal data which is part of your archive
The law relating to GDPR and archival records is still being finalised in Parliament. This is because the National Archives and the Archives and Record Association are lobbying for an exemption to be applied for archives, which will include community archives. However, the outcome is not yet certain.
The National Archives has drafted a guide to archiving personal data, which is available at http://www.nationalarchives.gov.uk/information-management/legislation/data-protection/. In addition to the guide, the archives sector web pages on the National Archives website have been expanded to include some data protection advice and an FAQ section which will be updated as case law develops and other guidance becomes available. See: http://www.nationalarchives.gov.uk/archives-sector/advice-and-guidance/managing-your-collection/archives-data-protection-law-uk/.
The Archives and Record Association will be publishing a detailed GDPR Code of Practice later this year, which will include guidance for community organisations.
Pending the clarification of the legislation, we suggest that you:
- Do not need to destroy or return any archival information that contains personal data about living people
- Do not permit access to it (unless you have had explicit consent from the people concerned)
As the current laws regarding privacy and defamation already make it unwise to publish any archival information related to living people without their explicit consent, this is unlikely to cause most community archives to change their current practice.
2. Personal data you collect as part of the process of running an organisation
There is a guidance about this on the website of the information Commissioner, and you will also find a lot of other articles and commentaries on the web. You should certainly review the ’12 steps to take now’ document published on the ICO website. Not all the steps will be relevant to small organisations like community archives and you will need to make your own judgement about what steps you need to take.
However, by way of an example, here are the main steps that the Community Archives and Heritage Group are taking in relation to GDPR and personal data:
1. We have carried out an audit of the personal data we hold
We have looked through our website and other records and have itemised all the ways in which we collect or store personal data.
2. We updated and documented our personal data policy
For each type of personal data we hold (for example, our list of members), we are deciding whether we need the information, how long we should keep it, whether we need to update the process by which we collect it, and how we can make it possible for individuals to ask for copies of their data or to have it removed. We are writing down our decisions and updating our processes accordingly.
3. We deleted unnecessary personal data
As a result of our data audit, we have decided that there is some data which we hold which we do not need to keep. One example is the list of people who attended past conferences. We are deleting this data.
4. We reviewed each process by which we collect personal data to be sure we are obtaining the right permissions in future
We are checking all the ways in which we collect personal data (such as event booking forms) to be sure that we are gaining explicit consent to how we plan to use and store the data.
For example, we are going to add additional text to our ‘join us’ website form to clarify what use we will make of the personal data our new members provide and how long we will keep it. To ensure explicit consent, we will also add a checkbox.
5. We provided a method by which people can find out what personal data we hold about them and request to have it deleted
Our privacy page on the website will contain a link to a form allowing people to request a copy of their personal data.
6. We updated the privacy page on our website
Note that the ICO has provided of examples of good and bad privacy notices at: https://ico.org.uk/media/for-organisations/documents/1625136/good-and-bad-examples-of-privacy-notices.pdf.
The main point is that there is no need to panic. Community archives are not the target of the GDPR legislation. So long as you are complying with the current data protection legislation, you will probably find that the changes you need to make because of GDPR are not too disruptive. However, you should:
- Review the guidance on the ICO website and decide what steps you need to take
- Keep an eye out for the latest information about archives and GDPR. We will try to provide links on this website as soon as further clarification on this becomes available.
- Remember that if you come to the Community Archives conference in 2018, we will be holding a session on GDPR at the event, with an expert from the Archives and Records Association (ARA).