(This article was first published thanks to Research Libraries UK )
Benjamin White, Head of Intellectual Property, British Library, writes about steps libraries should take now to prepare for new legislation:
The General Data Protection Regulation (GDPR) comes into force across the European Union on May 25th 2018. Despite this the UK’s Data Protection Bill is still being debated in the Houses of Parliament. This creates a challenging situation for organisations because the details of UK implementation of the new data protection legislation remain unconfirmed. Given this, organisations such as libraries should ideally plan to implement the GDPR itself, and once the Bill comes into law revisit your activities in its light.
After the Snowden revelations, and the realisation in the public psyche that privacy is a limited commodity in an online world, we can see a huge rise in awareness of privacy issues. Organisations not only need to demonstrate how they use people’s personal information 1 responsibly, but they need to protect themselves from the financial and reputational harms of being found to be non-compliant with data protection law. For example, higher penalties of up to €20 million or 4% of global turnover, are possible for more serious infringements of core principles of the Regulation.
One of the common misconceptions around data protection law is that personal data only relates to sensitive information. This isn’t the case, it also regulates “simple” forms of personal data such as names, email addresses, telephone numbers etc.
The aim of this article is to suggest some of the activities a library should undertake to ensure compliance with the GDPR.
A Possible Checklist
All educational establishments in the UK are likely to have a Data Protection Officer. If you are subject to Freedom of Information requests you will need a Data Protection Officer independent of senior decision makers 2 . If they have not already been in touch with the library, you should proactively contact them to find out whether they have incorporated the work of the library into their activities. The types of personal data a library might manage can range from library membership information and the research datasets it holds, through to personal data on institutional repositories, marketing information, as well as personal data in analogue and digitised collections. Unique archival collections are another important area that can hold much sensitive personal data and that any university data protection officer should be made aware of.
Data protection law places many obligations on organisations that hold personal data (called data controllers in the law) but some of the main activities that should be undertaken to prepare for the GDPR coming into force include:
1. Data Security
Arguably, in terms of data protection law, one of the most important things for any library to focus on is the security of personal data. Recent findings in Kroll’s 10th annual Global Fraud and Risk report stated that 86% of those surveyed reported a cyber incident, with 70% reporting some type of security incident – up by 2% on the previous year. The types of personal data a library may keep are also changing. Alongside traditional areas, with many funders requiring or encouraging that research datasets are archived, the security of this type of information should be an important consideration for library managers.
A recent article on the BBC News website 3 highlighted how some Amazon Web Services users (including companies, universities and governments) were finding in their data lockers messages from independent security researchers warning them that their lockers were insecure and could be targeted by hackers. Misconfigured settings, forgotten data stores, and not keeping patches up to date are common issues that create vulnerabilities for data controllers. In short, staying on top of your data security should be at the top of your GDPR To Do List.
2. Information Auditing
In order to comply with the GDPR it is highly advisable to understand more about the personal data you currently hold and how you use it. Many organisations are therefore undertaking what is called an information audit. This can include:
- Checking IT and any other data sharing contracts to ensure they reflect the GDPR. (The European Commission is expected to issue model contract clauses which will help with this, but currently none have been forthcoming.)
- Map where data comes from, where it is held, who has access to it and who you share it with.
- Record the type of personal information you hold, and establish your legal basis for using these different personal data types. (N.B. As part of a university, while performing a “public task” a university library cannot rely on the “legitimate interests” legal basis for holding and using personal data – this may mean that you now have to establish new legal grounds for processing information in certain situations. If an activity is outside your public task “legitimate interests” may be possible to rely on.Universities, like cultural heritage institutions, are in this respect known as “hybrid bodies”.)
- Make decisions around how long you should keep different types of personal data. You should not hold more personal data than you strictly need, and it should also not be kept for longer than is strictly necessary. There is a general obligation to ensure the data is up to date, so having processes to ensure the data is accurate need to be established.
- Check how robust your policies and processes are around data security, destruction of personal information you no longer need, and maintaining the currency of personal data.
3. Privacy Statements
Having undertaken an information audit, all organisations should review their public facing privacy statements, as the Regulation brings about quite a step-change in the requirements of your privacy notices. These need to be intelligible and as easily understandable as possible by anyone of teenage years and up. They should outline your specific legal grounds for using personal data in regards to named activities, why you are using personal information, where the data comes from and with whom it is shared, as well as your contact details and the types of personal data you hold.
To kill two birds with the same stone, and therefore discharge a number of your legal obligations (such as those that relate to subject access requests) in one go, it would be sensible to also cover in the privacy statement how long you intend to keep the data, and the types of rights people have in the law to control how their personal information is being used. Any profiling or automated decisions made about people should also be clear in the privacy statement.
4. Record Keeping
The GDPR requires data controllers to create and retain information in certain situations and also to provide specific information to data subjects, for example when responding to subject access requests. Your library should establish with the university’s Data Protection Officer what information, if any, you will need to keep in order that the university can comply with the law.
5. Time Sensitive Activities
The period with which a subject access request has to be responded to is reducing from forty days to one month. A data breach may need to be reported to the Information Commissioner’s Office within 72 hours and in certain cases to data subjects as well. Ensuring that the library is able to comply within these demanding time frames and liaise quickly with the university’s Data Protection Officer will be vitally important.
6. Transfers of Personal Data Particularly Beyond the EU
Access to and sharing of personal data is strictly regulated by Data Protection Law. People have the right to know exactly how their personal data is being used, and with whom it is shared. Data protection law also has particular rules regarding exporting personal data beyond the European Economic Area (EEA, the states of the EU plus Iceland, Norway, and Liechtenstein) so any activities, such as collaborative research projects or use of cloud-based services, that involve personal data travelling beyond the EEA will require additional checks and safeguards.
An important principle in the GDPR is what is known as “privacy by design”. This means thinking about protecting people’s personal information should be at the forefront of what you do. In order for the university to show it is complying with this principle, as a minimum training should be given to staff. In terms of library staff, it will be important that they have a basic understanding of data protection law. For those involved in giving access to collections, it is also important that they are familiar with arguably three of the most relevant exemptions in the GDPR for libraries:
- Archiving in the Public Interest (Art 89)
- Scientific / Historical Research and Statistical Purposes (Art 89)
- Freedom of Expression and Information (Art 85)
8. Legal Underpinning for Archiving
Data protection law, allows for certain activities to be undertaken that otherwise would not be legally possible. These are called “derogations” or “exemptions”.
In order that libraries can enjoy the wide exemptions that are given to organisations “archiving in the public interest” there must be a legal basis that puts obligations on them to undertake various activities relating to collecting, and disseminating the historical record. Recital 158 of the GDPR states (emphasis added):
Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest.
Unlike some other European countries, the UK does not have a single Act of Parliament that creates such an obligation on organisations that hold historical records. Neither has the government thus far included this requirement in the Data Protection Bill. In order to enjoy this exemption, therefore, a cultural heritage institution will either have to look to an Act of Parliament that regulates their organisation, or towards documentation that creates a legal obligation in UK law. According to certain lawyers, this could include documentation that outlines your public task, or similar constitutional documents that regulate how your organisation is run.
It would therefore be advisable to establish what the legal basis is that allows your institution to “archive in the public interest”. If this is not clearly defined in statute, constitutional documentation that sets out the function and role of your organisation should be revisited and updated to create archival obligations on the library, archive or museum. In the event of a legal challenge around the exercise of this derogation, and in the absence of a statutory underpinning, clear constitutional documentation is likely to be your best defence as to the basis for exercising the archival exemptions provided for in the Act.
9. Understanding the Exemptions
Archiving in the Public Interest
This exemption enables the keeping of historical materials (published and unpublished) by removing the obligation to ensure personal data is accurate and kept up to date and by ensuring that material, irrespective of why it was first collected, can be retained for archival purposes. The obligation to inform people you are holding their personal data is also removed where this would not be practicable, as are the rights of individuals to have their data erased (“right to be forgotten”) or amended. Other rights, such as being able to prevent someone’s data being used by an organisation, the right to find out what data is being held on a person, and the right to have data transferred to another person or organisation, are also not relevant if asserting the archiving exemption.
Scientific / Historical Research and Statistical Purposes
These exemptions are closely linked to the archiving in the public interest exemption, and appear in the same Article. They allow research to be undertaken using personal information that was collected for a different purpose and relax the prohibitions around keeping personal data for as short a time as possible. The obligation to inform people you are holding their personal data is also removed where this would not be practicable, as are the rights to have your data amended, and to object to your data being used.
What “scientific” and “historical” actually mean have not been defined in the GDPR or the Bill, but perhaps thinking of science in the Latin sense, “scienta”, meaning knowledge, is something that our community should consider.
Freedom of Expression and Information
This exemption has been expanded from the similar exemption under the Data Protection Act 1998 to cover work of academics as well as journalists in undertaking research and publishing of information relating to a living person. The GDPR allows Member States to implement this provision relatively freely, and it is likely that oddities in the current draft of the Data Protection Bill will change. A couple of the anomalies currently seen in the draft include that an academic publishing materials using personal data would be subject to newspaper codes of practice. There is also currently a gap relating to the issue of legal underpinning of archiving activities as highlighted above. Whereas an academic or journalist may have the rights to use personal data as part of “freedom of expression” exemptions, the archive may not be able to supply the information, given the question marks over the lack of statute based legal underpinning for organisations archiving in the public domain.
10. Engagement with your Data Protection Officer
Data protection law can seem overwhelming and difficult to get to grips with. Luckily in a university you will have a DPO with whom you can consult and work with on GDPR implementation requirements. By engaging positively with them, you will not only be protecting the university from potential action by the Information Commissioner’s Office, you will be demonstrating to students, university employees as well as people further afield that the library is a responsible place that sensitively handles personal data and privacy. Reputationally this is likely to serve you well now and in the long run.
- The law refers to personal data as something that can identify, either directly or in combination with other information a living individual – this includes opinions also. Examples include names, emails, library card numbers, medical and religious information etc. ↩
- If you are not subject to FOI, you will need a Data Protection Officer if you are undertaking systematic monitoring of people on “a large scale”, or if using sensitive personal data / criminal conviction data on a “large scale.” “Large scale” is not defined but some people suggest that a hospital processing patient data would constitute large scale. ↩
- http://www.bbc.co.uk/news/technology-42839462 ↩