Data Protection Regulations for Local History Groups

General Data Protection Regulations (GDPR 2016) and the Data Protection Bill (2017)

Why GDPR and what does that mean?
• Why? Increasing volume of digital data and new ways of
processing it means greater risks of abuses of human rights
• GDPR = EU regulations about processing the “personal data of
natural persons” due to come in force 25 May 2018
• See: http://ec.europa.eu/justice/dataprotection/reform/files/regulation_oj_en.pdf
• Good overviews: https://www.eugdpr.org/eugdpr.org.html +
https://ico.org.uk/for-organisations/guide-to-the-general-dataprotection-regulation-gdpr
• The regulations can be modified by individual EU members and UK
currently has a bill in parliament:
https://www.gov.uk/government/collections/data-protection-bill-2017

Definitions
•‘Personal data’ means any information relating to an identifiable
individual – the definitions of sensitive personal data have been
widened to include genetic and biometric data
•‘natural person’ means anyone who can be identified by any
reasonable means (eg by name, identity number, geographical
location etc)
• We are assuming ‘natural person’ relates only to living
individuals as at present but there is a slight risk it could be
widened by Parliament – watch this space!

Principles – very similar to existing ones
under DP Act 1998
Personal data must be:
• Processed lawfully, fairly and in a transparent manner
• Collected for specified explicit and legitimate purposes and not
further processed in a manner which is incompatible with them
– further processing for archiving purposes in the public
interest, scientific or historical research purposes is
permitted
• Adequate, relevant and limited to what is required for the
purposes concerned
• Accurate and kept up to date (where necessary)

Personal data should be:
• Kept in a form where individuals can be identified no longer than
necessary (but may be kept longer for archiving or research
purposes)
• Processed in a manner which is confidential, secure and avoids
accidental loss or theft – bodies holding personal data are
accountable for what happens to it
• Data subjects have a right to access their own data free of
charge and know why it is being processed

GDPR and children
• Children under age of 13 are not able to give consent for
processing
• Children age 13-15 need parental consent as well as their own
• Children 16 and over can give consent

Key innovations
• Privacy impact assessments for new systems (eg a new
computer system) are now needed – systems should be
designed to minimise DP risks
• Publicize purposes for processing data (eg put a notice on your
website as to what you collect and why)
• Consent must be meaningful – need to explicitly opt in, and
must be able to leave mailing lists easily
• Right to be forgotten (but this doesn’t prevent archiving!)
• Tougher regime and higher fines for breaches (up to 4% of
global turnover or 20 m euros whichever is greater)
• Large organisations need a Data Protection Officer who can act
as whistle-blower – this won’t apply to local history groups

What does it mean for most groups?
• You will need to tell your members and anyone whose data you
hold what you are holding and why – a notice on your website
should be fine. Make sure any forms (inc online) used to gather
data include a data protection statement.
• If you get asked what you hold on a named individual you will
need to tell them but you only need to search computer
databases – you don’t need to worry about manual records
(public authorities are different – we do)
• You have an exemption from the need to rectify, delete or erase
data under the purposes of “processing for archiving purposes
and for scientific or historical research and statistical
purposes” – this applies to data you may have collected for that
purpose, not your own membership data

If you buy a new computer system to hold personal data you
need to carry out a data protection impact assessment

The good news!
• Don’t be scared of GDPR!
• The ICO is keen for ‘business as usual’ – reform rather than
revolution
• Further, more detailed guidance for archive services will be
coming from TNA once the bill has become law – at present this
is all subject to change… we will pass on details if they are
relevant but the ICO website can help in the meantime

Claire Skinner

Principal Archivist, Wiltshire & Swindon History Centre

This entry was posted in local history, Society Members and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s