We have written to Matt Hancock MP, Minister of State for Digital, regarding the implementation of the General Data Protection Regulation (GDPR) and the upcoming Data Protection Bill. These are directly pertinent to the activities of cultural heritage institutions.
A PDF copy of the letter is available below:
Fiona Hyslop MSP and Vaughan Gething AM are copied into the letter in consideration of devolved cultural policy in Scotland and Wales.
Implementation of the General Data Protection Regulation
Dear Matt Hancock,
We are writing with respect to the UK implementation of the General Data Protection Regulation (GDPR) and the upcoming Data Protection Bill. The subject matter of these are directly pertinent to the activities and roles of cultural heritage institutions.
Cultural heritage institutions, including museums, galleries, archives, and libraries, both public and private, play a vital role in promoting research and intellectual freedom in the UK, while supporting and protecting freedom of expression and privacy. Cultural organisations are essential sources of information and are responsible for safeguarding and enabling access to collections of social, political, historical, and scientific significance.
To protect the role of cultural heritage institutions and their stakeholders and users, believe the following should be enabled in the upcoming Data Protection Bill:
- Clear legal foundations should be set out for the activities of ‘archiving in the public interest’ (in accordance with Recital 158 GDPR), which are essential in order to ensure that institutions that undertake archiving activities in the public interest are legally able to do so under the GDPR and in turn are able to benefit from public interest archiving exemptions (including those implemented through Article 89 GDPR). These foundations should apply both to public and private organisations in respect of archiving activities that are carried out ‘in the public interest’. Without this we believe implementation of Article 89 exemptions may be academic as organisations may not have the underpinning required by the GDPR in order to enjoy them.
- Ensure that derogations for research activities (Article 89 GDPR) are implemented in a wide and clear manner so as to provide protection to the socially, politically, and economically vital research activities of cultural heritage institutions and users of their collections. In particular, the derogations should be aligned to the safeguards set out in Article 89(1) GDPR and avoid transposition of the unclear requirements of s.33 Data Protection Act 1998 (DPA) . Our view is that s.33 DPA places unclear, unenforceable, and unnecessary limitations on research activities in the form of the ban on processing personal data ‘to support measures or decisions with respect to particular individuals’.
- The Bill should clarify that certain data controllers, in particular public cultural heritage institutions, may process personal data on the basis of any valid legal ground (under Article 6 GDPR). The GDPR states that public bodies may not process personal data on the grounds of ‘legitimate interests’ in respect of their public tasks. However, certain public bodies, including many cultural institutions such as museums and libraries, undertake other tasks that are beyond their public interest tasks (for example, running a shop or cafe). In respect of such further tasks, public cultural heritage institutions should not be precluded from relying on the legitimate interests grounds for processing personal data where there is no other legal basis for using personal data.
- Freedom of expression and information derogations (Article 85 GDPR) should include the activities of cultural heritage institutions. Data protection law must not be able to suppress access to archival and cultural collections, in particular those of a political or other public interest nature. A lack of strong protection under these derogations could inflict damage on the sector’s ability to support and advance freedom of expression. It would also leave unclear the interplay between authors and journalists who can benefit from these exemptions, and cultural heritage institutions that provide the materials to them, which would be excluded.
- The understanding of what constitutes ‘research’ under the GDPR should be interpreted widely. The use of data for all research activities that are undertaken legitimately and without harm to the rights and freedoms of data subjects should not be curtailed. In particular, the understanding of research should incorporate both commercial and non-commercial research activities that are legitimate and that properly protect subjects’ rights and freedoms.