Archives and GDPR: frequently asked questions

General

Where can I find general advice?

For guidance on generic data protection issues, such as managing data about service users, please see the range of guidance published by the Information Commissioner’s Office (ICO). Some of the guidance has been tailored to particular types of organisation.

What happens about Data Protection after Brexit?

The answer will depend on the nature of the Brexit deal reached between the UK government and the EU, although we understand that the intention is to continue to meet the requirements of GDPR.

The ICO’s webpages on Data Protection and Brexit can be found here:  https://ico.org.uk/for-organisations/data-protection-and-brexit/

The following link shares thoughts on the possible implications in the event of there being ‘no deal’: https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal

The Council of Europe handbook on European Data Protection Law is another useful source of reference and includes information on Data Protection in European countries outside the EU: http://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law

Is there guidance to show what organisations need to do to comply with UK data protection law?

The ICO has published guidance on the UK data protection regime at https://ico.org.uk/for-organisations/

Data Protection Act 1998 vs Data Protection legislation 2018

Do the eight Data Protection Principles from the 1998 Act still apply?

The new legislation has refreshed the language and presentation of the Data Protection Principles. The main substantive differences relate to additional requirements for transparency and accountability of processing.

Is it still correct to refer to ‘sensitive personal data’?

The 1998 Act used the term sensitive personal data to cover details about a person’s ethnic origin; political opinions; religious beliefs or other beliefs of a similar nature; trade union membership; physical or mental health.  The new legislation refers instead to Special Category Personal Data.  Special category data is broadly similar to the concept of sensitive personal data under the 1998 Act. The requirement to identify a specific condition for processing this type of data is also very similar.

One change is that the GDPR includes genetic data and some biometric data in the definition. Another is that it does not include personal data relating to criminal offences and convictions, as there are separate and specific safeguards for this type of data in Article 10.

For more details, see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/

Does the new legislation represent a significant change in approach for archives and archivists?

In general, ‘archiving’ which complied with the 1998 Data Protection Act will continue to be permitted under the new law. No drastic change is required. The GDPR contains provisions for archiving in the public interest which affect the application of the rights of the individual and some of the principles.  This is enacted in the Data Protection Act 2018, Sch.2, part 6, para.28

The National Archives’ Guide to Archiving Personal Data gives further guidance on this subject.

Can archivists still refer to the Code of Practice for Archivists and Records Managers issued after the 1998 Data Protection Act?

The Code of Practice was drawn up specifically to support archivists and records managers in interpreting and acting within the provisions of the 1998 Act.  The issuing of new legislation (GDPR and the Data Protection Act 2018) renders the Code of Practice obsolete.  Please refer instead to The National Archives’ Guide to Archiving Personal Data. The Archives and Records Association also plans to publish guidance on GDPR for its members. See http://www.archives.org.uk/

Exemptions

What are the possible exemptions?

The exemptions are covered on pages 12-13 of our Guide to Archiving Personal Data. ICO has published guidance on exemptions at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/exemptions/

What exactly is ‘archiving purposes in the public interest’?

Archiving in the public interest is processing to secure the permanent availability of recorded memory, in other words, evidence and information, for a wide range of current and potential future purposes, including:

  • enabling research and investigation of all kinds, including academic, historical or genealogical research
  • enabling long-term accountability, such as public inquiries and other official investigations like cold case murder investigations
  • enabling the discovery and availability of personal, community and corporate identity, memory and history
  • enabling the establishment and maintenance of rights and obligations and of precedent decisions
  • enabling educational use
  • enabling commercial and non-commercial re-use.

What is the definition of ‘enduring value’?

The phrase ‘enduring value’ is not included in the index of defined expressions within the Data Protection Act 2018.  The phrase is however used in the new legislation in the context of the new purpose – ‘archiving in the public interest’.  This purpose can only be applied to records which have been identified as having ‘enduring value’.  Records which have been subject to an appraisal process and deemed to be worthy of permanent preservation, have been accessioned by an archive service or which have been identified as such by the record creator are likely to considered as of ‘enduring value’.

What does GDPR mean for archives?

GDPR contains possible exemptions for archiving in the public interest from some of the principles. These exemptions include (but are not restricted to) provision for compatible further processing, beyond the purpose for which the data was originally collected, an exemption from the storage limitation principle, and an exemption from the right of erasure (the so-called ‘Right to be Forgotten’).  See Data Protection Act 2018, Sch.2, part 6, para.28 and The National Archives’ Guide to Archiving Personal Data for further information.

Under the new legislation there is a greater emphasis on processing activities being documented and transparent so that controllers are accountable for their use of personal data. Much of this is covered by existing archival good practice, such as inclusion of DP issues in accession documentation and publishing of collection policies, but services should also ensure inclusion of archiving processing in corporate privacy notices.  Organisations must also pay a fee to ICO and provide details of their organisation.  More information about this can be found at https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-20180221.pdf.

Does ‘public interest’ mean only public bodies are covered?

The key message is that archiving in the public interest should serve the public good and not purely personal or corporate interest and private gain. However, this does not mean that only public bodies are covered by the legislation. The government supports the continuation of archiving by private as well as public bodies and individuals. The term ‘public interest’ is used in many contexts and does not have a legal definition in the UK. However, parliament has published further detail on the government view of how public interest should be understood in a UK context.

What doesn’t ‘archiving purposes in the public interest’ cover?

It does not include other uses of the word ‘archiving’ such as:

  • long term retention of records purely to support current business or legal requirements (such as pension purposes) with the intention to destroy them after those have been met
  • sending records to cheaper offsite storage or moving data to offline systems from a live system
  • processing of personal data in records that have been designated as having no potential or confirmed archival value
  • routine back-ups of non-archival data.

Data being processed for archiving purposes in the public interest can also continue to be used in parallel for current business purposes, but some exemptions will not apply to this activity while this is happening.

What is meant by ‘processing’ for archiving purposes in the public interest?

The criteria for ‘processing’ in the context of ‘archiving in the public interest’ could include:

  • purpose (for example, long term accountability or corporate identity)
  • activities (such as providing access to material of value)
  • enduring value (for example, are the records intended for permanent preservation)
  • transparency (does the organisation make clear it is archiving personal data)
  • standards (for example, do they meet relevant standards, such as Archive Service Accreditation?)
  • access (is public access either available now, or will it be in the future?.  If not, is the public interest served in some other way?)

Not all of these criteria will need to be met (although more than one would be expected) as they are indicators, and circumstances will vary between different archive services.

Do I have to do anything specific in order to be able to use the ‘archiving purposes in the public interest’ exemption?

It is important to have a clear definition of what the scope of a body or group’s archiving function and activity is (as distinct from any other corporate purposes of processing), what it seeks to achieve and sufficient documentation of how this activity is performed. Archive services meeting the national accreditation standard will probably already have policy and procedural documents which meet this requirement.

Archive services which do not have clear policies committing them to some form of direct or indirect public access to their holdings, now or in the future, will need to demonstrate in what other ways their archival operations meet a public interest, in addition to any private interests.

Some benefits of the ‘archiving in the public interest’ exemption are conditional upon their use being actually necessary and proportionate for the performance of the archiving function, so services will need to be able to demonstrate and document that this is the case.

Exemptions for archiving in the public interest only apply:

  • to the extent that complying with the provisions above would prevent or seriously impair the achievement of the purposes for processing;
  • if the processing is subject to appropriate safeguards for individuals’ rights and freedoms (see Article 89(1) of the GDPR – among other things, you must implement data minimisation measures);
  • if the processing is not likely to cause substantial damage or substantial distress to an individual; and
  • if the processing is not used for measures or decisions about particular individuals, except for approved medical research.

Do I need to tell users I am ‘archiving in the public interest’?

As transparency is an important aspect of compliance, services should use a range of means to make clear (particularly to people about whom they hold data) that they are ‘archiving in the public interest’, for example through corporate or service websites. Where personal data collected by an organisation is being archived, in-house or by a separate archival institution, this should be included in privacy notices or published policies linked to them.

Services could also use means such as being listed on the National Register of Archives or other national sector sites to ensure widest possible coverage. Organisations which don’t already have an ARCHON number for the NRA on Discovery’s Find An Archive can contact asd@nationalarchives.gov.uk for advice on registering.

Are there any circumstances in which the ‘archiving purposes in the public interest’ exemption may not be appropriate?

If the data have been processed to take ‘measures or decisions’ about the individual, or there was a clear likelihood that substantial damage/distress would be caused simply by continuing to hold the data (the UK safeguards) you may be unable to claim the processing as being ‘in the public interest’ or benefit from the exemption. Similarly if the processing was clearly unlawful or unfair. Note that fairness to the data subjects may have to be weighed against being unfair to others if data is deleted.

Related data subject rights to have data restricted or rectified (or the broader elements relating to access, portability and objection to processing) are similarly limited by provisions for archiving in the new legislation. However, these provisions apply only to the extent that the archival purpose would be compromised by complying with the request. You should consider whether it is possible to meet the request in whole or in part by, for example, providing a link from the original record to a note giving additional details of the data subject’s objection.  For further information about this exemption, see Data Protection Act 2018, Sch.2, part 6, para.28, ICO’s guidance on this exemption at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/exemptions and The National Archives’ Guide to Archiving Personal Data.

Do archivists have any obligation to keep information in the archives up to date, even if requested to do so by the data subject?

Personal data preserved in archives are not expected to be kept ‘up-to-date’ in the same way as data still subject to operational use.  See paragraph 40 in The National Archives’ Guide to Archiving Personal Data.

What are the ‘safeguards’?

The exemptions (‘derogations’ in GDPR) are not automatic, and require safeguards to ensure the rights of the subject are upheld.

The UK safeguards are contained in section 19 of the Data Protection Act 2018. Processing for archiving in the public interest will not meet the safeguard requirements if it is:

  • ‘likely to cause substantial damage or substantial distress to a data subject’
  • or ‘carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research’

What constitutes substantial damage or distress?

The Act does not define what is meant by serious damage or distress. However, in most cases:

  • substantial damage would be financial loss or physical harm; and
  • substantial distress would be a level of upset, or emotional or mental pain, that goes beyond annoyance or irritation, strong dislike, or a feeling that the processing is morally abhorrent

How does the new legislation affect the processing of manual, unstructured data?

Manual unstructured data falls outside GDPR and therefore the exemptions for archiving in the public interest cannot apply to this type of data.  However if the unstructured manual data is held by an FOI public authority, there is a limited application of Data Protection Legislation to enable these organisations to withhold personal data when appropriate in responding to third party FOI requests .  See sections 24 and 25 of the Data Protection Act 2018 and the Freedom of Information Act 2000 s.40(3A)(b) which provides the exemption for manual unstructured personal data held by a public authority (where disclosure would breach a Data Protection Principle).

http://www.legislation.gov.uk/ukpga/2018/12/section/24/enacted

http://www.legislation.gov.uk/ukpga/2018/12/section/25/enacted

https://www.legislation.gov.uk/ukpga/2000/36/section/40

If you are not an FOI public authority, manual unstructured data is not covered by GDPR or the Data Protection Act 2018. Paragraphs 32-33 of The National Archives’ Guide to Archiving Personal Data also give guidance on this subject.

Data Subjects and their rights

What should archive services do when they receive a Subject Access Request relating to information in their archive collections?

The ICO’s website contains information about individuals’ right of access to information about themselves.

Controllers can only refuse to comply with SARs to the extent that complying with the SAR would prevent or seriously impair the achievement of the purposes for processing. Would complying with a SAR prevent or seriously impair the achievement of archiving?

Standard practice for responding must be followed such as using ‘all reasonable measures’ for confirming the identity of the requester, bearing in mind that due to the passage of time, greater flexibility may be needed.

There is usually no fee for responding to a subject access request. Responses should now be made within one month from the date of the request being received, and should be made electronically if the request is received in that form.

What rights does the data subject have over their data in unstructured manual data?

If the data are unstructured and manual and held by FOI public authorities, they are not covered by GDPR.  This means that provisions for processing will be found instead in the Data Protection Act 2018, specifically the provisions for processing records for historic research purposes.  Please refer to http://www.legislation.gov.uk/ukpga/2018/12/section/25/enacted for further information.

Unstructured manual data not held by an FOI public authority are not covered by the exemptions and derogations in the Data Protection Act 2018

If unstructured manual data is subsequently digitised or indexed by data subject’s name, then it is brought into the provisons of GDPR and the Data Protection Act 2018.

What is the ‘right to be forgotten?

Under data protection law individuals have the right to request the erasure of their personal data. The right is not absolute and only applies in certain circumstances.

It does not apply if processing is necessary for archiving purposes in the public interest. It only applies:

  • if the processing is subject to appropriate safeguards for individuals’ rights and freedoms (see Article 89(1) of the GDPR – among other things, you must implement data minimisation measures);
  • if the processing is not likely to cause substantial damage or substantial distress to an individual; and
  • if the processing is not used for measures or decisions about particular individuals, except for approved medical research. where erasure will compromise or render that processing impossible. (GDPR article 17(3)(d)).

Similar provisions in the 1998 Act have rarely been invoked by data subjects in practice, although this may change due to publicity around ‘the right to be forgotten’.

In what circumstances might an archivist have to apply a ‘supplementary statement’ to an archived record?

Supplementary statement is the phrase used in the 2018 Data Protection Act to describe a note that a data controller or data processor might annex to a particular record in response to a request made by the data subject.  Supplementary statements might be made to complete data which is otherwise incomplete or to correct data which is incorrect, for example.  The “archiving in the public interest” purpose means that in order to protect the integrity of the original record, archivists do not have to make changes to the physical record in response to a request by the data subject.  However paragraphs 22, 29 and 40 of The National Archives’ Guide to Archiving Personal Data give some information about circumstances in which archivists may find the use of a supplementary statement appropriate.

Complementary legislation

Access to data must be lawful.  What legislation besides Data Protection might apply?

Paragraph 77 of The National Archives’ Guide to Archiving Personal Data gives some examples of other legislation that impacts on providing access to information in archives. Archivists working in public authorities should also be mindful of the provisions of the Freedom of Information Act, 2000 and the Environmental Information Regulations 2004.

Accessioning records and providing access

Am I still able to accept correspondence from living people, including emails, as part of a deposit? Do I have to remove personal data?

Archive services can still accept correspondence, including emails, from living people, providing so doing is in line with collecting policies and the archiving purpose. Personal data does not have to be removed.

What provisions are there for archive services to provide researchers with access to closed records?

Data protection law does not give third parties rights of access to data.  This means that archive services can only give access to personal data in archives once an assessment of the likely impact on the data subjects’ right of privacy has been carried out.  Archive services would need to demonstrate that the disclosure of personal data is fair, lawful and transparent.  Access for scientific, historical or statistical research may be possible provided that access or other forms of processing are NOT “likely to cause substantial damage or substantial distress to a data subject” and/or will NOT [be] “carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research”.

The National Archives’ Guide to Archiving Personal Data gives more information about providing access to personal data (paragraphs 72-84), and also about the responsibilities of users of archived personal data (paragraph 85), including the potential use of signed declarations or undertakings.

I currently ask archives users to sign a data protection undertaking where records contain personal data. Is it still acceptable to do this?

Yes. It is sensible for services to remind users of their own responsibilities under data protection legislation, although notices will need to be amended to reference GDPR and Data Protection Act 2018, rather than Data Protection Act 1998. This can be done, for example, through notices in the reading rooms, on the service web pages, or at the point of signing in. As previously, the nature of data protection law is that personal data may sometimes be lawfully accessible onsite, whereas some types of re-use may be unlawful. The most common example of the latter would be transcription and posting online of unstructured manual data.

This is distinct from providing privileged access to ‘closed’ records for those users who agree to specific limits on how records are used or re-used.

Services may find the model undertakings contained in the previous 1998 Act Code useful, provided these are amended to reference the new legislation.

However, undertakings cannot displace data protection responsibilities onto users: they can only provide some additional assurance when assessing whether the access in question is lawful, for example if they significantly affect whether it is ‘likely’ that the processing will cause substantial damage or substantial distress. Public services subject to Freedom of Information Act 2000 (FOIA) should note that this type of conditional access will not comply with s.1 or the s.21 exemption of that Act, so they will continue to have to respond formally to requests for access to information in respect of such records.