General Data Protection Regulation – Is it important for a Library or Archive?
Benjamin White, Head of Intellectual Property at the British Library highlights the forthcoming implications from the new General Data Protection Regulation (GDPR) for libraries and archives. RLUK encourages members to submit their views on derogations for Archiving and Research to the Department for Culture, Media & Sport by 10 May 2017.
Since the Edward Snowden leaks in 2013, which made clear the extent of internet surveillance by the security services, hardly a day goes by without some story in the media relating to our online privacy. For example last year we saw the biggest data hack in history with over 1 billion user accounts being compromised. In the UK the 2015 Talk Talk data breach affected a “mere 157,000 records” according to its CEO Baroness Dido Harding, and in 2007 perhaps the most infamous British data breach occured when personal data relating to 25 million child benefit recipients was lost in the post. In the latter case there was never any indication that the data was used by any third party, but it does highlight the importance of organisations training their staff in the ins and outs of data protection law.
This all might seem a million miles away from the activities of a library or archive, but data protection law regulates the use of all personal data in the UK - ranging from information held on students, through to the personal information identifying a living person that appears in newspapers, books, datasets, photographs and unpublished collections held in your library or archive.
One case that might feel a bit closer to home for librarians and archivists (especially those digitising their historical collections) was the so-called Google Spain case in 2014. The European Court of Justice ruled, amongst other things, that an individual had the right to be forgotten online when websites (in this case a newspaper website) made available outdated information unless there is a public interest argument in keeping the information discoverable.
Given the tremendously extensive scope of a law that seeks to control every aspect of how any information that relates to an individual to be identified, it is not surprising perhaps that the new General Data Protection Regulation (GDPR) that the UK will implement by May 2018 took many years to finalise and weighs in at a respectable 88 pages – by contrast the European Copyright Directive is only a measly 19 pages!
In respect of the personal information that a library or archive might hold on its users, libraries and archives don’t really differ from most other organisations who hold the names, email addresses, phone numbers etc of their registered users, or in the case of companies,their customers or clients. Where the new legislation is relevant, is as a place of research, and in the GDPR, a new and important provision, as an archive.
The Data Protection Act 1998, and the directive it was based on, already had limited exemptions for historical and statistical research but the new regulation introduces the concept of “archiving in the public interest”.
One vital issue however is that the archiving exemption is not mandatory, and will have to be implemented by the UK government, which the UK government can chose not to do. Not only this, before we can enjoy the archiving exemptions we will need legislative underpinning for both public and private archives to ensure our activities are based in law.
Currently DCMS is undertaking a consultation on the GDPR, with a deadline of 10 May 2017. RLUK, British Library, National Library of Scotland and the Archival Records Association are working together to ensure the voice of the sector is fully and accurately represented.
What seems clear is the starting point of all this is underpinning legislation that defines for the first time in UK law what an archive is, or perhaps more accurately what the activity of archiving entails. Once this is implemented, subject to DCMS introducing the GDPR exemption for archiving, organisations that hold personal data (and put online historical materials that include information about living individuals) will be better protected from the law.
Working with David Zeitlyn, a professor of social anthropology at the University of Oxford, a small workshop was arranged at the British Library in mid-2016 to get a better understanding of the regulation and this new provision. We were lucky enough to have not one but two ex-Information Commissioners in attendance, as well as representatives from the European Commission, European Parliament and a number of people from the cultural heritage and research sectors, such as the Wellcome Trust.
We presented a number of examples of digitisation projects that contained information relating to identifiable living individuals ranging from archival photographs from Cameroon, to the British Library’s digitisation of Spare Rib. What became clear was that the European Commission and Parliament have done an excellent job at understanding the social and political importance of libraries and archives and the need to protect them from the general obligations that organisations will have under the GDPR. This is particularly important given that fines for breaches of the law, have risen an eye-watering 3500 per cent,
More broadly, it is interesting to note the wide freedom of expression exemptions that are given to protect and support journalism may include press and media libraries. I understand from Dutch colleagues at the Koninklijke Bibliotheek, the national library of the Netherlands, that their government intends to apply these much wider exemptions to the activities of libraries and archives, the vast majority of which hold materials that relate to current affairs.
It is clear that post-Snowden the way people in an online world think about how their personal information is used has changed forever. As a sector wanting to collect, and in certain cases, put online digitised 20th and 21st century collections which will often include information about living people, we cannot ignore this. On the contrary, if libraries and archives are not seen as respecting and understanding the importance of privacy, balanced with our societal role acting as protector of the historical record, what we are able to do with our collections in the mind of the public will become increasingly complex and open to challenge.
(If you would like to see the minutes from the workshop held at the British Library please contact ben.white(at)bl.uk )
Head of Intellectual Property, British Library
Licence: Creative Commons-BY-SA