August 2018
Guide to archiving
personal data
1
© Crown copyright, 2018
This information is licensed under the Open Government Licence v3.0. To view this
licence, visit http://www.nationalarchives.gov.uk/doc/open-government-licence/
Any enquiries regarding this publication should be sent to:
[email protected]
Please note that The National Archives is unable to advise data controllers of how to
fulfil the provisions of data protection law in specific circumstances. You should
contact your data protection officer.
2
Acknowledgements
This guide is the result of co-creation with the archives sector. It is the work and views
of a number of individuals, groups and organisations. The co-creators of the guide
included members of the Steering group and the Review group. There were also
numerous contributions after a period of public comment. Thanks to all these
individuals that provided their suggestions, time and support to create this guide.
Particular thanks for their suggestions and contributions must go to the members of
the Steering group:
Chair, University College London Elizabeth Lomas
The National Archives Stuart Abraham, Malcolm Todd and Anna Sexton
National Records of Scotland Laura Mitchell and John Simmons
Museums, Archives and Libraries, The Welsh Government Mary Ellis and
Sarah Horton
Public Record Office of Northern Ireland David Huddleston and Jayne
Hutchinson
Archives and Records Association (UK and Ireland) Jon Elliott
National Archives, Ireland - Niamh McDonnell
The National Archives is very grateful to Susan Healy for discussing her early
thinking on archiving in the public interest with us and permitting those discussions to
inform the preparation of this Guide.
3
Contents
Foreword ................................................................................................................................................. 4
Summary ................................................................................................................................................. 6
Introduction ............................................................................................................................................ 7
Key concepts ....................................................................................................................................... 8
Scope ................................................................................................................................................... 8
Purpose of this guide .......................................................................................................................... 9
Responsibilities of the archives sector .............................................................................................. 10
Data protection law and archiving ........................................................................................................ 12
Data protection law has changed ..................................................................................................... 12
What does the change mean? .......................................................................................................... 12
What has changed? ........................................................................................................................... 13
General Data Protection Regulation (GDPR) ................................................................................ 13
Data Protection Act 2018 .................................................................................................................. 14
Exemptions.................................................................................................................................... 14
Safeguards ..................................................................................................................................... 15
What is meant by “substantial damage or distress”? ................................................................... 16
Lawful basis for different types of archive service ........................................................................... 16
Right to Erasure (Right to be forgotten) ........................................................................................... 17
Access to data by data subjects ........................................................................................................ 18
Unstructured manual records ........................................................................................................... 18
Data Protection Officers and records of processing ......................................................................... 18
Sanctions ........................................................................................................................................... 19
Specific processing ............................................................................................................................ 19
Dual purpose processing and updating data .................................................................................... 19
What do I need to do to start? ......................................................................................................... 20
Archiving purposes in the public interest ............................................................................................. 21
What is archiving under GDPR .......................................................................................................... 21
Establishing ‘archiving purposes’ ...................................................................................................... 21
Establishing the public interest in archiving ..................................................................................... 22
Criteria for archiving purposes in the public interest ....................................................................... 24
What archiving in the public interest is not ...................................................................................... 25
Processing for archiving purposes ........................................................................................................ 26
Why are there special data protection rules for archiving? ............................................................. 26
Appraise (selection) .......................................................................................................................... 27
Acquire .............................................................................................................................................. 28
Security and Preservation ................................................................................................................. 29
Arrange and describe metadata, catalogues and finding aids ....................................................... 29
Access ................................................................................................................................................ 31
Communicate / inspect ................................................................................................................. 31
Disseminate publish /online access/exhibition material ............................................................ 34
Removing access (takedown and reclosure) ................................................................................. 34
Responsibilities of users of archived personal data .......................................................................... 35
Annex A Explanation of terms used in this guide ................................................................................. 36
Annex B Parliamentary Question reply what is meant by the term Archiving in the Public Interest... 39
Annex C Main references to archiving in GDPR and Data Protection Act 2018 ................................... 41
4
Foreword
Archives are special places. They are our collective memory. They help us
to understand the past, make sense of the present, and guide us for the
future. And in an age of fake news, misinformation and opaque institutions,
archives are more important than ever in helping to uphold democracy and
hold power to account.
They also hold a special place in my heart. I began my professional career
in local government archives. My first leadership role was City Archivist for
the City of Calgary in Canada. Making decisions about the preservation and
accessibility of information laid the foundation for my current work in
helping individuals and organisations navigate the digital age.
As the UK’s Information Commissioner I oversee information rights
legislation that, on the one hand, promotes openness, transparency and
access to information, and on the other, requires data privacy for
individuals. It is my job to balance these competing rights and interests.
The General Data Protection Regulation (GDPR) and the Data Protection Act
2018 set the rules for data privacy. They place obligations on organisations
and give people control over their personal data. Amongst other things,
people have the right to know why their data is being used, and can request
that it is corrected or erased.
But data protection is not an end in itself. It does not prevent archiving, it
supports it. Good data protection leads to effective data governance and
records management - two essential elements of archiving. Data protection
law also specifically recognises the importance of archives. There is no
inherent conflict with archiving in the public interest; data protection law
provides for it through various provisions.
This guide identifies, clarifies and explains those provisions relevant to the
use of personal data in archiving. It underpins and supports the continued
important work of archivists - preserving and making available records for
the needs of society now and in the future. I hope this guide helps ensure
that this important work continues.
Elizabeth Denham
Information Commissioner
5
Key messages in this Guide
Data Protection law shapes archiving of personal data. It supports it and does not
prevent it;
Personal data worthy of permanent preservation should be safeguarded by record
keepers until it is archived;
The new archiving in the public interest purpose adapts the operation of various
principles and maintains exemptions from data subject rights such as the right to
be forgotten and data rectification where the necessary safeguards are met.
6
Summary
The Data Protection Act 1998 has been replaced by new legislation;
The new laws enhance the protection of information about people, giving them
greater control over it, while still enabling legitimate use by others;
Data protection applies to processing of digital information about people, and
information about people in manual filing systems;
In general, personal data must be processed for a specified purpose, and kept
for no longer than that purpose requires. Individuals have greater rights over
their data, including the so-called ‘Right to be forgotten’;
However, the law recognises there is a public interest in permitting the
permanent preservation of personal data for the long-term benefit of society;
There is a specific purpose for this ‘archiving in the public interest’ with various
exemptions. This can apply to archiving by public, private or voluntary bodies;
The use of exemptions is subject to the implementation of appropriate
safeguards to minimise any adverse impact on living individuals;
In general, ‘archiving’ which complied with the 1998 Data Protection Act will
continue to be permitted under the new law. There are some changes affecting
archiving but they are not drastic;
Those archiving will need to be more transparent than previously and ensure
the archival processing of data is distinguished from processing that supports
daily business. The archiving purposes in the public interest provisions do not
apply to the daily business of a body e.g. marketing;
Personal data preserved in archives is not expected to be kept up-to-date in
the same way as data still subject to operational use;
Public use of ‘archived’ personal data will generally be possible once the people
concerned are dead, and may be possible earlier if the use is fair to the
individuals in the records.
7
Introduction
1. The rules for handling information about living people in archives and
records intended for transfer to archive services changed on 25 May 2018
with a new explicit provision, archiving purposes in the public interest. In
practical terms, processing for archiving purposes under the new legislation
is not very different from the previous Act and its effective safeguards. This
guide helps you consider what is required for archiving. The change is more
significant for the creation and processing of daily business information. The
Information Commissioner’s Office has published detailed guidance and
resources on this.
1
2. This guide concerns records that contain or consist of personal data that has
been acquired by an archive service for preservation as part of its collections
or is being assessed for this purpose. Personal data can be recorded in any
form or format: databases and datasets, websites, digitised images, email,
audio-visual material, as well as traditional paper files and registers. Archive
services (defined in a wide sense as set out in annex A) may handle records
of enduring value containing personal information about people who are still
alive (e.g. school admission registers, court records, hospital records) and
may create personal data themselves that is subject to the legislation (e.g.
search room attendance registers, correspondence with owners of private
records). Archive services sit in many different types of organisations
galleries, libraries, schools and museums as well as voluntary and community
bodies and private companies. In this guide, the term archive services refers
to all these different types of organisations that archive records in many
formats. Some bodies may also be archiving without formally calling their
collections an archive.
3. Inevitably archive collections contain personal information about people’s
public and private lives, but the purpose of archiving is primarily to maintain
this information for use over the very long-term, when the potential for impact
on individuals is low or non-existent. The new data protection law explicitly
introduces the principle of transparency and highlights the importance of
people's awareness and control over what happens to their personal data. For
archiving purposes in the public interest, there are exemptions from some of
the data protection obligations, but these are still subject to the implementation
of appropriate safeguards. Other data protection purposes interrelate with
archiving purposes in the public interest such as scientific and historical
research (any research done with archive collections will be historical in its
widest sense), and freedom of expression and information may also be
relevant to archives, either instead or in addition to archiving purposes in the
public interest, but this guide does not cover them. There is also an ethical
consideration to protect the privacy of people mentioned in records whilst they
are alive.
1
https://ico.org.uk/
8
Key concepts
Personal data
4. Data protection law applies to ‘personal data’ meaning any information relating
to an identifiable living person who can be directly or indirectly identified. It
applies to both automated personal data and to manual filing systems where
personal data are accessible according to specific criteria. This could include
systematically ordered sets of manual files containing personal data. The Data
Protection Act 2018 applies GDPR standards to unstructured manual files
held by public authorities (manual personal data not held in a structured set),
although there are several exemptions for this type of data.
2
Archiving
5. The activities involved in archiving purposes of records of enduring value are
acquisition and selection/appraisal, accessioning, storage and preservation,
arrangement and description, and provision of access for all types of research
through inspection and publication. The UK archives sector spans public,
private, charitable, voluntary, community and commercial organisations and
groups. If personal data is being kept solely for a defined business or legal
purpose and the intention is to destroy it after that has finished, this is not
archiving purposes in the public interest.
Scope
6. This guide provides important guidance on the purpose and exemptions for
archiving in the public interest provided by data protection law which dictate
how personal data is handled. It is intended for use by those working with
potential or existing archive collections around the exemptions in data
protection law for archiving. Many of the users of this guide will be archivists
although it is intended to be used and referenced by anyone involved in
archiving. With the repeal of the 1998 Data Protection Act, the previous code
of practice for archivists and records managers is now obsolete. This guide
has a narrower scope as set out in the table below.
2
See Data Protection Act 2018 section 24
9
Covered by Guide √
Not covered by Guide ×
Bodies holding personal
data with the intent that
they be part of an
archive in the future
either as part of their
organisation or by
transfer to an archives
service.
Business purpose
storage of data and
general information
management including
offline storage. No
intention to preserve
beyond business use or
records not of enduring
value.
Records received for in-
house appraisal as well
as material already
appraised and held in
collections.
Processing by archive
services of data not held
for archiving in the public
interest purposes e.g. for
marketing and
fundraising or about staff
and users.
Public and private
bodies and voluntary
groups preserving and
making personal data
directly or indirectly
available, either now or
in the future, to enable
research, provide
corporate memory or as
continuing evidence of
rights and obligations.
Research and re-use by
members of the public of
records held in or
published by archive
services.
General compliance with
data protection law or for
other purposes such as
for statistical or scientific
and historical research
purposes.
Purpose of this guide
7. GDPR sets out a specific purpose which enables a number of exemptions for
archiving, providing it complies with safeguards. This guide helps those
intending to use such exemptions (data controllers and data processors). The
data controller is the person (an individual or other legal person such as a
company) who determines why, as well as how, personal data are to be
processed. It is their duty to ensure that the collection and processing of any
personal data within the organisation complies with the requirements of data
protection law. A processor is responsible for processing personal data on
behalf of a controller. Processing for archiving purposes relates to the many
10
formats in which records are held as well as the many types of organisations
and groups that archive and provide archive services.
8. There are other purposes with exemptions from data protection duties that
may also be relevant to archive services and especially their users, such as
processing for freedom of expression and information (journalistic, academic
and artistic or literary expression).The diagram below shows how the archiving
purposes in the public interest exemptions described in this guide are part of
a wider range of exemptions for specific purposes. This guide covers the
archiving purposes in the public interest exemptions only.
9. This guide can also be used by those transferring records to archive services
as they judge appropriate. This guide recommends how archive services
should process records that contain personal data to enable the use of the
records for research, now or in the future. It reflects article 89 of the GDPR
and section 19 and schedule 2 part 6 of the Data Protection Act 2018 which,
amongst other provisions, set out the special rules for archiving purposes in
the public interest.
10. Following this guide will carry weight in the event that the actions of those
involved in archiving processes are challenged. Departure from its provisions
is not unlawful but will need to be otherwise justified in terms of compliance
with the law. This guide is intended to be used in conjunction with general
guidance published by the Information Commissioner. This guide does not
constitute legal advice which should be sought as required. This guide does
reflect good practice and expertise in archiving from the past two decades
under the previous Data Protection Act.
Responsibilities of the archives sector
11. Archive services and organisations that archive need to understand the
general principles, individuals’ rights and particular safeguards that govern
11
personal data and its management and to ensure that their handling of it
complies with the law. Ultimate responsibility for compliance with data
protection law rests with the highest level of management, with advice from a
Data Protection Officer if applicable. Archive services should ensure policies
and procedures are compatible with the legislation, particularly in relation to
storage, security and access to personal data.
12. There is a risk that over-cautious or inaccurate interpretation may lead to the
weeding, anonymising or destruction of files containing personal data that
would otherwise be passed to the archive service with managed access over
time. An archive service’s ability to permanently retain personal and special
categories of personal data for the purposes of archiving in the public interest
should therefore be made clear internally and to potential depositors. The law
contains the necessary safeguards to permit archiving.
12
Data protection law and archiving
Data protection law has changed
14. The Data Protection Act 2018, plus its associated secondary legislation and
the European Union’s General Data Protection Regulation (GDPR), together
referred to in this guide as Data Protection law, began to apply from May 2018.
They supersede the provisions of the Data Protection Act 1998. The
preservation and management of archives must take into account the new
laws.
The law aims to:
To protect individuals’ fundamental rights and freedoms, in an
increasingly data-driven world, in respect of personal data processing;
To enable organisations to process personal information, with due
regard for the rights and freedoms of individuals, in the course of their
legitimate business.
15. The law applies to any processing of personal information. Processing is the
term used for virtually anything that can be done with or to recorded
information, including acquisition, storage and destruction as well as active
use. Controllers must have a lawful basis for any processing of personal data
undertaken, ensure processing is in accordance with the principles described
in the law and comply with the rights of the people to whom the data relates
data subjects. Archive services may claim exemption from certain provisions
in data protection law, such as the obligation to respond to access requests
from data subjects and requests to erase data (right to be forgotten) when
archiving in the public interest. Personal data is that of living people - This
Regulation does not apply to the personal data of deceased persons’.
3
What does the change mean?
16. Data protection is not new. For the previous twenty years the UK archives
sector followed the 1998 Data Protection Act without significant issue using
guidance from the Information Commissioner and a code of practice aimed at
3
GDPR recital 27
GDPR
Data
Protection
Act 2018
UK Data
protection
law
13
archivists and records managers.
4
The guiding principle remains, namely that
record creators and archive services can continue to process personal data in
their collections for archiving purposes but should not cause substantial
distress or substantial damage to the person whose data is being archived.
Generally, processing for archiving purposes that has been legal under the
Data Protection Act 1998 will likely continue to be lawful under the new data
protection law. GDPR will not apply directly after UK withdrawal from the EU
and the Data Protection Act does not transpose it. This is expected to be done
via the European Union (Withdrawal) Act.
17. It is important to have a clear definition of what the scope of a body’s archiving
activity is, and what it seeks to achieve. This should be combined with a clear
archiving function and policies within the organisation itself, so that the nature
and scope of the archiving activity is distinguished from other purposes of
processing. Indiscriminate or random archiving of personal data is unlikely to
be compliant and is in any case bad professional practice. Archive services
(and those transferring records to archive services) need to update their
awareness and documentation of their processing in line with the new
legislation and ensure greater transparency for the archiving of personal data.
What has changed?
General Data Protection Regulation (GDPR)
18. The GDPR applies to records that contain personal information about
identifiable living people. The previous concepts of a lawful basis, compliance
with principles and exemptions with safeguards remain. There is a new explicit
concept of archiving purposes in the public interest in the regulation rather
than all archiving coming under the historical research provisions, as it did
under the 1998 Act. Processing for archiving purposes in the public interest is
not defined within GDPR itself although it is described in a recital. The term is
explored in more detail elsewhere in the guide. The provision for archiving
purposes in the public interest distinguishes between the:
collection, preservation and management, including dissemination,
activities required to ensure that data is permanently preserved in a
usable state (archiving purposes in the public interest); and
use of the data by the public or others, which may or may not take place
for many years, such as for scientific or historical research purposes or
for freedom of expression and information (journalistic, academic, artistic
and literary expression) purposes.
5
4
http://webarchive.nationalarchives.gov.uk/20170907054556/http://www.nationalarchives.gov.uk/documents
/information-management/dp-code-of-practice.pdf produced jointly by The National Archives, the Society of
Archivists, the Records Management Society and the National Association for Information Management
5
See GDPR articles 85 and 89(2)
14
19. Historical research (any research done in an archive repository will be
historical in its widest sense) is likely to be relevant to archive services either
instead of or in addition to archiving purposes in the public interest. In addition,
certain archival collections will have reason to take account of processing for
scientific purposes as well as processing for journalistic, academic, artistic and
literary purposes. Their relevance may depend upon the nature and content
of the records held as well as the purposes for which any archive records are
accessed and used. Data protection law also recognises the public interest in
freedom of expression and information. Further information is available from
the Information Commissioner and the Archives and Records Association (UK
& Ireland)
6
. As a result there is greater visibility for archiving in the new data
protection law. GDPR contains:
Adaptions to certain Principles.
o Purpose limitation. It provides for compatible further processing,
beyond the purpose for which the data was originally collected;
and
o Storage limitation. It allows the retention of personal data for
longer periods than normally permitted under the storage
limitation principle;
Exemptions from certain rights;
o The right of erasure / the right to be forgotten;
o The right to be informed for indirectly collected personal data
where it would be impossible or involve disproportionate effort;
and
o Article 89 makes specific provision for exemptions from a
number of data subject rights: access, rectification, restriction,
notification, data portability and right to object, insofar as they
are derogated for in member state law (The Data Protection Act
2018 in the UK);
Conditions for processing of special category and criminal
offence/conviction data.
20. Where only unstructured manual data is processed, GDPR will not apply
directly, but care is needed. For example, if the records are digitised or
catalogued online, this will bring any personal data into scope of GDPR. The
Data Protection Act 2018 applies GDPR standards to the processing of
unstructured manual files by public authorities, albeit with several exemptions
from its principles, rights and obligations.
7
Data Protection Act 2018
Exemptions
21. The new Data Protection Act contains all the additional exemptions for
archiving purposes in the public interest permitted under GDPR. It states;
6
The Archives and Records Association, UK and Ireland (ARA) have been discussing and planning a revised
Code for record-keepers with colleagues across the public, private and voluntary sectors. It will be different
from, but will complement, this guide.
7
See Data Protection Act 2018 sections 22 and 24
15
The listed GDPR provisions do not apply to personal data processed for
archiving purposes in the public interest to the extent that the application of
those provisions would prevent or seriously impair the achievement of those
purposes
….
Article 15(1) to (3) (confirmation of processing, access to data and safeguards
for third country transfers);
Article 16 (right to rectification);
Article 18(1) (restriction of processing);
Article 19 (notification obligation regarding rectification or erasure of personal
data or restriction of processing);
Article 20(1) (right to data portability);
Article 21(1) (objections to processing).
8
22. If complying with a data subject's request to exercise a right would not prevent
or seriously impair the processing purposes, the request must be dealt with
as normal, e.g. by providing a data subject with a copy of their personal data,
adding a supplementary statement to a record or withdrawing from public
access inaccurate historical data at a data subject’s request.
Safeguards
23. The exemptions are not automatic. Their use is subject to appropriate
safeguards for the rights and freedoms of data subjects. Article 89(1) of the
GDPR says that those safeguards must include the implementation of
technical and organisational measures. Amongst other things, such measures
should respect the principle of data minimisation. This means having a
process in place to help identify the minimum amount of personal data needed
for archiving processing purposes. Additionally, section 19 of the Data
Protection Act 2018 says that processing for archiving purposes in the public
interest will not meet the GDPR's safeguard requirements if it is:
‘likely to cause substantial damage or substantial distress to a data subject’
or:
‘carried out for the purposes of measures or decisions with respect to a
particular data subject, unless the purposes for which the processing is
necessary include the purposes of approved medical research’.
24. The safeguards correspond to those at section 33 of the 1998 Data Protection
Act. There are also conditions to allow processing of special categories of
personal data
9
(previously known as sensitive personal data under 1998 Act).
8
Data Protection Act 2018 schedule 2 part 6
9
Data Protection Act 2018 section 10 & schedule 1 Part 1
16
Lawful basis for different types of archive service
25. Processing of personal data requires a lawful basis (article 6 GDPR). Archive
services are not required to obtain consent from data subjects if an alternative
lawful basis is more appropriate such as a task carried out in the public
interest, exercise of official authority or a legitimate interest. Further
processing of data for archiving purposes in the public interest, should be
considered to be a compatible lawful processing operation
10
so no additional
lawful basis would be required. This will apply primarily to organisations with
in-house archive services (e.g. company, school and charity archives).
26. The UK is distinctive in its legal framework, which reflects its legal systems.
The main legislation that imposes archiving obligations relates to UK central
and local government records, Scottish judicial records, and to certain records
of the Church of England. Because of, the Public Records Act 1958, Public
Records (Scotland) Acts 1937 and 2011 and Public Records Act (Northern
Ireland) 1923, the national record offices and places of deposit will, in relation
to public records, be acting under official authority for a lawful basis. The
Government of Wales Act 2006 created a class of records known as ‘Welsh
Public Records’ and makes provision for them to be managed as though they
were UK Public Records for the time being.
27. Many organisations with archiving functions will also be public authorities able
to rely on a statutorily-defined public task basis for processing personal data.
Local authorities benefit from legislation permitting them to accept
responsibility for and apply resources to archives received from private
sources as well as to their own records. For example, under the Local
Government (Records) Act 1962 and Local Government Act 1972, Local
Government (Wales) Act 1994, Local Government etc. (Scotland) Act 1994,
the Public Libraries and Museums Act 1964, or other national libraries and
museums legislation. Church of England records, including baptism registers,
will be processed under the Parochial Registers and Records Measure 1978.
More detail about archival related legislation is available from The National
Archives’ website.
10
GDPR recital 50
What is meant by “substantial damage or distress”?
The Act does not define this. However, in most cases:
substantial damage would be financial loss or physical harm;
and
substantial distress would be a level of upset, or emotional or
mental pain, that goes beyond annoyance or irritation, strong
dislike, or a feeling that the processing is morally abhorrent
17
28. Other archiving, indeed the majority of UK archiving, takes place without a
specific mandate in law but is nonetheless lawful. The expectation that
archiving of material in private hands will take place and is in the public interest
is reflected in the establishment of the Historical Manuscripts Commission with
a remit to enquire into the whereabouts of archives and manuscripts in private
hands, report on their contents and promote their preservation and use.
11
The
Royal Warrant now appoints the Keeper of Public Records as the sole
Historical Manuscripts Commissioner and the work is done from within The
National Archives. Where an organisation does not have an explicit archiving
task laid down in statute, it is possible for this to be derived indirectly from
other legal provisions, such as the Royal Warrant of the Historical Manuscripts
Commission or section 1(4) of the Local Government (Records) Act 1962,
which refer to the public interest served by voluntary private archiving activity.
As GDPR recitals 41 and 50 make clear, and especially given the common
law system of England and Wales, a legal basis does not have to be under
specific statutory powers. Private organisations may also be able to
demonstrate a legitimate interest basis for processing by pointing to funding
agreements, management agreements or constitutional documents which set
out the purposes of the archive.
Right to Erasure (Right to be forgotten)
29. Under data protection law individuals have the right to have personal data
erased. This is also known as the ‘right to be forgotten’. The right is not
absolute and only applies in certain circumstances. Importantly, the right to
erasure does not apply if processing is necessary for archiving purposes in
the public interest, where erasure is likely to render impossible or seriously
impair the achievement of that processing.
12
Decisions as to whether the
exemption applies should be taken on a case-by-case basis, but given that
the purpose of an archive service is to ensure the integrity and authenticity of
archived records and future analysis would be affected by the removal of data,
erasure may often be likely to seriously impair the processing. Archive
services may still wish to consider requests to have personal data removed
from public view on ethical grounds under takedown and reclosure policies if
data subjects have expressed their concern and the wider balance with
freedom of expression and information is not significantly affected. If a data
subject complains of distress, archive services should consider if the following
is appropriate to make processing fair, especially if the data is available to
search engines and the data is inaccurate:
Reclosure / takedown (removal from public access);
Adding a supplementary statement to the record;
Amending or adding metadata or catalogue description.
30. Consideration should be given to how this might be done when paper records
have been digitised, both as to how the ‘correction’ could be displayed on the
digital display image or equivalent, and how to keep the digital surrogate and
paper original in sync.
11
http://www.nationalarchives.gov.uk/archives-sector/our-archives-sector-role/historical-manuscripts-
commission/
12
GDPR Article 17(3)(d)
18
Access to data by data subjects
31. Although those archiving may find they have no legal obligation to respond to
a data subject access request (SAR), bodies may choose to respond to
access requests, especially when an individual’s rights or entitlements seem
to be at stake. Standard practice for responding should be followed, such as
confirming the identity of the requester. In most cases you cannot charge a
fee to comply with a subject access request. However, you may charge a
reasonable fee for additional copies or where the request is manifestly
unfounded or excessive.
Unstructured manual records
32. GDPR does not apply to unstructured manual data although in the UK more
manual data is likely to be considered structured under GDPR than previously
under the Data Protection Act 1998. For FOI authorities, the Data Protection
Act 2018 partly applies to the personal information in unstructured records
13
as before. Data protection law does not apply to manual unstructured data
held by non-FOI bodies. Archive services may add a structure to data through
additional metadata or by digitisation. If personal data is digitised then it is
processed by automated means and is therefore covered by the GDPR
regardless of its structure.
33. There are exemptions for manual unstructured data used in longstanding
historical research.
14
These include certain principles and rights of the data
subject when personal data was processed before 24 October 1998 providing
it is not carried out for measures or decisions to an individual, or likely to cause
substantial damage or distress to the subject. The limit of 24 October 1998 is
consistent with the 1998 Act. These exemptions maintain the protections of
the previous act for manual unstructured record series processed only for the
purposes of longstanding historical research.
Data Protection Officers and records of processing
34. Under the GDPR, a body must appoint a DPO if:
It is a public authority (except for courts in their judicial capacity);
Its core activities require large scale, regular and systematic monitoring of
individuals (for example, online behaviour tracking); or those activities
consist of large scale processing of special categories of data or data
relating to criminal convictions and offences.
35. If a body has a Data Protection Officer (DPO) it should include the purpose of
archiving in their records of processing activities and privacy notices (which
are required even if there is no DPO). In some organisations the person
responsible for archives may themselves be the DPO, while some bodies will
not need to have one. ICO guidance should be consulted about the role of the
13
2018 Data Protection Act 2018 section 24
14
2018 Data Protection Act 2018 section 25
19
DPO.
15
Like the rest of data protection law, the need to keep records of
processing activities only applies to the data of living persons, not all records
in an archive service. Even storing data without any public access counts as
processing that may need to be publicly acknowledged and recorded.
Sanctions
36. There are sanctions to ensure compliance with data protection legislation. The
Information Commissioner has powers to enter premises, to inspect or seize
material and to prosecute offenders. Compensation or fines may be payable.
Personal data breaches that present a likely risk to people’s rights and
freedoms must be reported to the Information Commissioner without undue
delay, but not later than 72 hours after discovery. If you take longer than this,
you must give reasons for the delay.
Specific processing
37. Organisations processing personal data for law enforcement purposes (police
forces for example) that are archiving information in the public interest
16
are
only permitted to do so if the processing:
is not carried out in connection with measures or decisions in relation to
individual data subjects; and
is not likely to cause substantial damage or substantial distress to a data
subject.
38. Those working in specialist repositories will probably need to seek additional
advice.
Dual purpose processing and updating data
39. An organisation can continue to allow use of the data in its archives for other
purposes as long as that additional use is otherwise compliant. In the event of
dual-purpose processing, the archiving exemptions apply only to the
processing for archiving purposes.
17
Where data is used for business
purposes under dual processing, requests from data subjects must be dealt
with as normal.
40. However, personal data preserved as archives is not expected to be kept up-
to-date in the same way as data still subject to operational use. Archives are
concerned with historical integrity rather than current accuracy. In the event of
complaints being brought by a data subject over inaccuracy, exemptions may
be claimed from right of rectification, or data could be supplemented by a
statement of the requested correction rather than replaced. Archive services
may often be able to rely on the use of supplementary statements to make the
rectification without damaging the archival integrity of the original data.
15
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-
and-governance/data-protection-officers/
16
Data Protection Act 2018 section 41
17
GDPR article 89(4)
20
What do I need to do to start?
41. Exemptions for archiving are not automatic. Before relying on an exemption,
consideration needs to be given to several different factors including:
The necessity of the processing;
The specific circumstances of the processing (e.g. the extent to which
compliance with a data protection provision would prevent or seriously
impair the processing purposes);
The public interest in the processing; and
The safeguards implemented for the rights and freedoms of data subjects.
42. The exemptions for archiving purposes in the public interest may need to be
explained to the public, data protection officers and business areas. The
application of an exemption in particular circumstances may need to be
articulated to the Information Commissioner’s Office.
43. Everybody involved in archiving needs to be aware of the exemptions in data
protection law. They should continue to respect the privacy of individuals and
remain confident that archiving of personal data is legal, subject to safeguards.
Processing should ensure there is the right balance with individuals’ rights.
This may mean certain collections of personal data of living people are not
publicly available whilst the individuals are known or believed to be alive as
making the records available would be unfair to the data subjects (see
Access).
44. Under the new law, there is a greater emphasis on processing being
documented and transparent so that controllers are accountable for their use
of personal data. Where appropriate, this can be done though publishing
collection policies and inclusion of archiving processing in privacy notices.
While organisations will often need to pay a fee under the Data Protection Act
2018, registration (providing the ICO with registrable particulars) is no longer
required. Personal data not being processed for archiving purposes, such as
current staff records or marketing and subscription data, must also comply
with the data protection legislation. The Information Commissioner’s Office
gives guidance on general matters such as marketing.
21
Archiving purposes in the public interest
What is archiving under GDPR
46. The activities that form archiving purposes in the public interest are described
in GDPR at recital 158
Public authorities or public or private bodies that hold records of public interest
should be services which, pursuant to Union or Member State law, have a
legal obligation to acquire, preserve, appraise, arrange, describe,
communicate, promote, disseminate and provide access to records of
enduring value for general public interest.
47. Archiving covers activities designed to ensure the permanent preservation
and usability of records of enduring value. Note that this may be spread over
a number of bodies working in partnership to the same end. The activities
specified in Recital 158 should be carried out in accordance with the law and
with due regard for accountability and transparency of operations, as required
by GDPR.
48. Recital 41 clarifies that a legal basis does not have to be an explicit statutory
archiving role, as long as the application of the legal basis is clear, precise
and foreseeable to the people subject to it. This means that it includes clear
common law tasks, functions or powers as well as those set out in statute or
statutory guidance. The government supports the continuation of archiving by
private as well as public bodies and individuals. It has explained the term
archiving purposes in the public interest in reply to a parliamentary question
18
(see Annex B for full text)
We recognise the importance of the permanent preservation of archives for
long-term public benefit by museums, galleries, archives and libraries……This
is likely to apply to a wide variety of community, private, public sector,
charitable/trust and voluntary sector archives. It could also include archives
that may be closed to researchers at the present time, but which would
become accessible at some future date, and archives which are held in
analogue or digital format. The definition would not, however, cover
organisations which gather and use data, information and records purely for
their own commercial gain or that have no enduring public value.
Establishing archiving purposes
49. Archives are our collective and personal memory, a unique and irreplaceable
part of our heritage. They contain reliable evidence of past actions and
decisions, of the reasons for them and of their impact on those affected.
Inevitably archive collections contain personal information about people’s
public and private lives. As well as their cultural value, archives are about long-
term accountability. They provide the evidence required to protect people’s
rights and seek remedies when necessary. They enable the rights to freedom
of expression and information through journalistic and academic expression,
18
https://www.parliament.uk/business/publications/written-questions-answers-
statements/written-question/Commons/2017-11-03/111381/
22
historical research and public access to official documents and are an
essential resource for business, writers, genealogists, researchers and
historians.
Many UK organisations preserve a proportion of their records, either in-house
or through a specialist archival institution. The UK archives sector spans public,
private, charitable, voluntary, community and commercial organisations and
groups. In a few cases, a specialist body undertakes the archiving The
National Archives, National Records of Scotland and the Public Record Office
of Northern Ireland are obvious examples. Usually archiving is not the primary
function of the organisation but is undertaken as part of its operations to serve
its own needs and for wider purposes. Archival collections will sit in galleries,
libraries, museums, universities, as well as the collections of schools,
businesses and charities. All of this archiving makes up the rich heritage
resources of the UK. This allows society to benefit from past experience and
provides long-term public accountability. Archiving is processing to secure the
permanent availability of recorded memory, i.e. evidence and information, for
a wide range of current and potential future purposes, including:
Enabling research and investigation of all kinds, from academic to
genealogical research;
Enabling long-term accountability, such as public inquiries and other official
investigations like cold case murder investigations;
Enabling the discovery and availability of personal, community and
corporate identity, memory, culture and history;
Enabling the establishment and maintenance of rights and obligations and
of precedent decisions;
Enabling educational use; and
Enabling commercial and non-commercial re-use.
Establishing the public interest in archiving
50. Archiving will normally be in the public interest. Archiving purposes in the
public interest should serve the public good and not be purely for personal or
corporate interest and private gain. It should not support discrimination or
criminality. Archiving records of enduring value for general public interest
benefits administrative efficiency, transparency and legal accountability.
51. Archives and archiving are important. The Universal Declaration on Archives
19
states:
Archives record decisions, actions and memories. Archives are a unique and
irreplaceable heritage passed from one generation to another. Archives are
managed from creation to preserve their value and meaning. They are
authoritative sources of information underpinning accountable and
transparent administrative actions. They play an essential role in the
development of societies by safeguarding and contributing to individual and
community memory. Open access to archives enriches our knowledge of
human society, promotes democracy, protects citizens' rights and enhances
the quality of life.
19
The Universal Declaration on Archives, prepared by the International Council on Archives, was adopted by
UNESCO on 26 October 2011 see http://unesdoc.unesco.org/images/0021/002134/213423e.pdf
23
52. The Council of the European Union in a 2003 resolution on archives
20
stressed
the importance of archives for the understanding of history and culture. In
particular, that well-kept and accessible archives contribute to the democratic
functioning of society. Such well-kept and accessible archives:
Provide individuals, organisations and states with the evidence that
enables them to justify their rights;
Enable citizens to exercise their right of access to official information and
the state to account for its actions;
Preserve the memory of society by constituting the sources of its individual
and collective history;
Enhance the sound functioning of public and private, administrative and
commercial organisations.
53. Some archiving takes place by organisations under legislation for that specific
purpose. Archiving in local authorities takes place under legislation that
permits the establishment of a record office or archive service. The existence
of the legislation demonstrates that this archiving can be considered to be in
the public interest. Other archiving takes place in non-government bodies that
do it as part of their normal operations for a variety of purposes with a strong
public interest element.
Heritage and cultural bodies such as the national museums and galleries,
the British Library, The National Libraries of Scotland and Wales, undertake
archiving in relation to both their own archives and to deposited collections,
gifts and purchases, many of great historical significance;
Universities undertake archiving on a similar basis, the deposited
collections usually being part of Special Collections within the university
library. These collections support academic research and teaching.
University archive services collect and preserve published and
unpublished materials, including data sets that are increasingly being
mandated for preservation by research funders;
Charities and voluntary bodies undertake archiving. This enables long-term
accountability, helps support personal identity and the establishment and
maintenance of rights as part of a duty of care and to promote public
understanding of their mission;
Private sector bodies such as banks, organisations in the creative
industries manufacturing and retail companies maintain archive services for
various reasons: to provide corporate memory, for commercial exploitation,
to provide continuing evidence of rights and obligations, to support
corporate social responsibility and to demonstrate their place in society,
sometimes over a very long period. The archives of landed estates fall into
this category also. A company archive will tell a story of that company, its
industry as well as the people and communities it affected;
There are also community archives and the archives of families and
individuals which support community identity, the maintenance of family
relationships and personal identity, and understanding of the development
of society at large.
20
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32003G0513(01)&from=EN
24
54. The eventual availability of archives for public use is a factor that would make
archiving likely to be in the public interest even if the data by then ceases to
be technically personal data as the individuals are no longer alive. An
important factor is that evidence and information are available for purposes
having public value beyond the immediate interests of the creating
organisation itself. For example, records may provide public accountability via
regulators or historic inquiries, or support use for research having outcomes
of wider value to the public. Bodies may be subject to one, or even both, of
the Freedom of Information (FOI) Acts which means that information must be
provided as a matter of course unless exemptions apply (which is commonly
the case with personal data). Some archive services are within organisations
that are not subject to the FOI Acts but nonetheless allow and indeed promote
research using their archives, or provide information from their archives. There
is an expectation that archiving purposes in the public interest will involve
potential use of preserved data at some stage in the future. That may be direct
public access, or appropriate indirect or limited access with public benefit.
Transparency of operation is particularly important, as this further purpose of
processing is not one which most data subjects will have particularly thought
about. Conversely, the archiving of illegally acquired records or data derived
from illegal processing is unlikely to be in the public interest although it may
still have historical evidential value.
Criteria for archiving purposes in the public interest
55. The public interest is not defined in UK law as it can change over time and
circumstance. Suggested criteria of processing for archiving purposes in the
public interest are below. There may be other factors in particular
circumstances. Not all of these criteria will need to be met (although more than
one would be expected) as they are indicators and circumstances will vary
between sectors and orders of magnitude of the size and resources of the
archive service:
Purpose the purposes for archiving are enabling research and
investigations of all kinds; long-term accountability; discovery and
availability of personal, community and corporate identity, memory and
history; establishment and maintenance of rights, obligations and
precedents; educational use; and commercial and non-commercial re-use;
Activities are some or all of the activities outlined at Recital 158 of GDPR
undertaken by or on behalf of the organisation? The activities are to
acquire, preserve, appraise, arrange, describe, communicate, promote,
disseminate and provide access to records of enduring value’;
Enduring value does the archiving relate to records that have been
selected for permanent preservation? Does it relate to appraisal of records
and activities designed to secure their permanent preservation, such as
their safekeeping, preparation for transfer, arrangement and description of
those selected for preservation? Records of enduring value could be held
by creating functions as well as archive services;
Transparency is the body transparent about the fact and nature of its
archiving of personal data, how it manages that data and how data subjects
can contact it? Does it highlight archiving, e.g. on its website, through
relevant policies, privacy notices or provide online catalogues, guides and
25
other material produced by the archive service? Does it supply details of its
archives for inclusion in the National Register of Archives (maintained by
The National Archives) or the National Register of Archives for Scotland
(maintained by National Records Scotland) or elsewhere;
Standards - Does the archiving pay due regard to relevant standards?
Conformance to standards ensures that the archiving activities support
data protection compliance as well as protect the authenticity and integrity
of the archives. Are there clear policies, procedures and documentation?
Where appropriate is a professional archivist employed or professional
guidance sought? One way of demonstrating conformance is recognition
by the national accreditation scheme, which provides an over-arching,
proportionate and externally validated framework for assessing archiving
operations and is available to most organisations with archiving functions,
whatever their size. Organisations that have not sought accreditation may
need to find alternative ways of demonstrating that their archiving conforms
to relevant standards albeit that this takes account of community needs and
management as appropriate;
Access is some form of public access in line with the data protection
principles permitted, or is it likely to be permitted at some future date when
the archives are no longer confidential? Otherwise are the archives
available to a limited audience having a public interest purpose, such as
academic researchers, regulators or official investigators, or is information
made available indirectly through responses to written enquiries? Are the
archives used for purposes other than the holding body’s commercial gain
or private interest e.g. for education?
What archiving purposes in the public interest is not
56. Archiving should be distinguished from long-term, but finite, retention of
records to support current business or legal requirements (e.g. for pension
purposes). Archiving should not be confused with sending records to cheaper
offsite storage or moving data from a live system. The term archiving is
sometimes used this way in computing to mean storing data in offline systems.
If personal data or records containing the information are being kept solely for
a defined current business or legal purpose and the intention is to destroy
them after that has been finished, this is not for archiving purposes in the
public interest.
Processing for archiving purposes in the public interest does not include
processing of personal data solely for current business needs and activities;
It does not include processing of personal data in records being stored for
a specified limited period;
It does not include records that have been designated as having no
potential or confirmed enduring value.
26
Processing for archiving purposes
Why are there special data protection rules for archiving?
57. Archive services hold archives kept for their evidential value to an organisation
or person in the widest sense. As primary sources, archives transmit authentic
evidence of human activity and experience through time to current and
subsequent generations. For records to retain their value and integrity,
crucially to maintain their impartiality to bear witness to past events, the
preservation of the personal data they contain is essential.
58. Records being archived are often unique in content and context, are usually
not published at creation, nor acquired directly from the data subject and are
arranged according to the business process that generated them. Sensitive
personal data is likely to be unavailable to the public for several decades to
protect the privacy rights of individuals. Processing for archiving purposes of
such sensitive data is required well in advance of any use by researchers and
is unlikely to have a significant impact on privacy especially if publicly
unavailable. Archiving purposes are as much about ensuring survival of
personal data to enable future research use as they are about facilitating
current research use. Archive services may manage the collections created
by many different organisations and individuals within their archives. Typically
archive services do not have a current relationship or contact with the
individuals whose data they hold as they often did not create many of the
records. As a result, it is more difficult to locate particular personal data,
especially in older paper records, so responding to data subject rights would
be far more arduous than for most data controllers.
59. The nature of the agreement made with the depositor or donor will determine
the role of the archive service in relation to a collection. The responsibilities of
each party in relation to data protection must be clear. As a general rule
archives received by an archives service can fall into three categories:
Records transferred from within the organisation, which may be a public
authority or a private sector body such as a company or historic house.
Corporate policy should set out the basis on which archives containing
personal data will be passed to the archives service and the level of control
and responsibilities that will be passed with them such as responding to
people’s requests for data;
Gifts, legacies or purchases, the common factor being that physical
ownership of the archives passes to the archives repository or its parent
organisation. The data controller will be the organisation of which the
archives repository is a part, unless there is explicit provision to the contrary;
Deposits on loan from external sources, whereby custody passes to the
archives repository but ownership remains with the depositor or another
party, such as a trust. In such cases the organisation of which the archives
service is a part may become sole data controller or may share that
responsibility with the owner as joint data controllers, or may act merely as
27
a data processor, leaving control wholly in the hands of the owner. Which
applies will depend on the terms of the deposit. As a general rule, the more
control over access and use passed to the archives repository, the more
likely it will be that its parent organisation has acquired data controller
responsibilities. A variant of this last option occurs when control passes to
the archives service in whole or in part, but storage is contracted-out to a
third party which is a data processor. Where a data processor is used, a
written contract must be put in place. The Information Commissioner
provides guidance on the identification and duties of data controllers and
processors. What is vital is that the owner’s continuing interest in the records
and the obligations of all parties are set out clearly in the deposit agreement.
If the terms of deposit are unclear and the current owner is unknown or
cannot be contacted, the organisation of which the archives repository is a
part should be regarded as data controller by default. Transfer and deposit
agreements should clarify the responsibilities of the archives service, stating
whether the originating person or body is retaining or transferring data
controller responsibilities. It may be necessary to obtain legal advice to
ensure that the wording of these agreements is accurate.
60. Usually, archiving processes are undertaken by a single organisation.
However, in some situations, the activities involved in archiving are shared
between two organisations or distributed in some other way. For example,
storage and conservation work may be contracted-out to a specialist company
which is answerable to the contracting organisation in respect of that work or
management of the operation may be contracted-out to an arms-length trust
or joint service. Another example occurs with UK government records where
pre-transfer activities - appraisal, arrangement and description - are
completed by the government departments that created and have custody of
the records prior to transfer,
21
then other activities acquire, preserve etc. -
are undertaken by The National Archives or another place of deposit. The pre-
transfer activities are usually undertaken under the general guidance or
supervision of The National Archives
22
or other place of deposit. This work
constitutes processing for archiving purposes, regardless of where it takes
place or who does it.
23
Appraise (selection)
61. When considering the permanent preservation of personal data, serious
consideration should be given as to how far this will be in the public interest.
This will mean weighing up whether society as a whole, and in particular
researchers, will benefit from preservation of the data for historical research
and other purposes. All appraisal decisions should be documented as a matter
of good professional practice and collection policies published as appropriate.
The documentation will help demonstrate that the preserved data is of
enduring value having been through a selection process.
21
Set out in Part 2 of the Code of Practice issued under section 46 of the FOI Act and the equivalent code
under section 61 of the Scottish FOI Act.
22
Public Records Act 1958 section 3(2)
23
The Public Records (Scotland) Act 2011 provides for oversight by the Keeper of an authority’s management
of its records - http://www.legislation.gov.uk/asp/2011/12/contents
28
62. All archive services acquiring personal data must be able to show that their
processing of that data is lawful, fair and transparent, in accordance with
principle (a): lawfulness, fairness and transparency. Those involved in the
appraisal of digital records prior to their transfer should ensure that personal
data of enduring value is identified as soon after creation as possible and
digital continuity methods applied accordingly to preserve the authenticity of
the record. Once selected, archiving exemptions may apply to handling data
subject rights even whilst the data is in the custody of the creating function.
63. The GDPR specifies what you need to tell individuals when you obtain their
personal data (privacy information). When an archive service obtains personal
data from a source other than the data subject, it is exempt from the need to
provide them with privacy information if doing so would be impossible or
involve a disproportionate effort. This is most likely to be the case where the
archive service holds no relevant contact details for the data subject and has
no reasonable means to obtain them.
24
Where an archive service does not
provide privacy information to data subjects, it must take other appropriate
measures to protect their rights and freedoms. Two measures that must
always be taken are making the privacy information publicly available (e.g. on
a website) and carrying out a data protection impact assessment to assess
and mitigate risks of processing potentially unknown to data subjects. Other
relevant measures for archives services to mitigate the potential unfairness of
not providing data subjects with privacy information may include:
processing the data in an otherwise transparent manner;
keeping records closed for an appropriate period;and
restricting access and use only for research (the results of which will be
anonymised).
A case by case assessment will be required as the exemption is not blanket.
The Information Commissioner’s website has more guidance on what privacy
information should be provided to individuals.
Acquire
64. All newly received archives, whether digital or manual, should be risk
assessed and sampled as appropriate to ascertain whether they include
personal data, especially special categories of personal data, covered by the
legislation, for example a database or a series of case files about named living
individuals. Bodies that are not subject to the FOI Acts will find that some
manual unstructured records fall outside the legislation. Bodies subject to the
FOI Acts should assume that all records containing personal data about
identifiable living individuals are subject to the legislation.
65. As a general rule, it is simpler to accept only those sets of personal data that
are no longer required for current business and hence can be retained for the
sole purpose of archival preservation. This is because it will be clear that they
are historical records, although still with potential business use. However, this
may not always be practicable and further dual use may prove necessary. It
should also be clear to someone consulting the data whether the records are
24
GDPR article 14(5)(b)
29
still in active use and have been kept up-to-date, or instead reflect a historical
position.
66. Transparency is specified in principle (a) (lawfulness, fairness and
transparency) and suggested at Recital 39, where lawful processing is linked
to data subject awareness of that processing. Where necessary, Article
14(5)(b) offers greater flexibility in respect of archiving purposes in how
transparency information for data subjects is provided. Whatever the source
of the material, an archives service will need to discuss how transparency data
is provided effectively to data subjects via privacy notices, as well as ensuring
that clear agreements are in place defining what responsibilities both parties
have for the archived data and its future use. This is sector good practice.
Clear, published policies on what types of material an archives service aims
to archive will help demonstrate that personal data in collections is relevant
and not excessive.
Security and Preservation
67. Those responsible for personal data should ensure that adequate levels of
security are provided. These will depend on the nature and age of the
information and the extent to which it requires protection. For example, special
categories of personal data are more likely to need restricted access to the
minimum necessary staff. The Information Commissioner provides further
guidance on information security and risk assessment. The security measures
that are appropriate for an archive service will depend on its circumstances,
so a risk-based approach should be adopted.
68. Digital preservation should be taken into account when assessing security
needs. An archives service may need the assistance of others to carry out
digital preservation activities. This relationship needs to be clearly identified
and expected service levels formally agreed and documented to ensure the
accountability of all parties. It is important to note that where service providers
are used, it is the commissioning organisation that remains responsible for the
digital records at all times. Digital preservation activities should ensure there
is a verifiable and trusted means of preserving the integrity of digital records.
This gives continued access to digital information in the future. Likewise, if
paper storage or specialist services have been contracted-out, the
commissioning body remains the data controller.
Arrange and describe metadata, catalogues and finding aids
69. Online catalogues and finding aids made available to the public are covered
by the Data Protection Act 2018 if they include entries containing personal
information. Manual finding aids will also be covered if they hold personal
information in a sufficiently structured format or are held by an FOI body.
Depending on the sensitivity of the information it may not be suitable to provide
public access to all metadata and finding aid content if individuals are
identifiable (see Access below). Carrying out a Data Protection Impact
Assessment (DPIA) may be appropriate. A DPIA is a good framework to work
in so that privacy issues can be identified and mitigated. Further details of
these can be found on the Information Commissioner’s website. By restricting
30
the description and access to personal details (e.g through pseudonymisation
or redaction) for a finite period if required, archiving purposes in the public
interest respects the principle of data minimisation in terms of limiting
processing to what is necessary. A record/object level description may be
innocuous in itself but when read in conjunction with the higher level
contextual information may infringe the individual’s data protection rights. For
example a name and date of birth alone may seem harmless but in the context
of case files of mental health hospital patients it becomes sensitive.
70. As a general rule, assessment of the sensitivity of descriptions requires
consideration of the same factors as for third party access to the record. If a
name is sensitive but central to the reason for selecting the file and should
therefore be in the description, the description should be withheld or redacted
while the document is closed. If a name need not be included in the description
(because, for example, the file deals with a precedent) and there are no other
reasons why the description should not be released, then the description can
be open. A number of questions can be asked:
Is the person alive or dead? Assume a lifespan of 100 years if you do not
know the individual’s date of death;
Is the person identifiable? Note that a name in itself (John Smith) may not
make a person identifiable; it is the name’s association with other
information, such as the position held or an event or location that will usually
enable the individual to be identified. If the document is closed and the
description does not provide sufficient information to identify the individual,
a personal name can be included in an open description. For example, an
item about a criminal trial might be described as “Trial of J Jones” but while
the item is closed, J Jones is not identifiable from the description itself
unless further contextual information is provided;
Is it really necessary to identify the individual in a description? If the
archives have been selected because they contain policy or precedent
papers, there is usually no need to include in the description the names of
individuals because the focus should be on the policy or precedent;
Is there a statutory restriction on releasing information in the description?
For example, some laws protect the confidentiality of personal information
such as victims of sexual offences;
Is the related record open or closed to the public? If the record is closed,
consider whether the description reveals the information which the closure
is designed to protect. If it does, it may be necessary to amend the
description or redact it until the record can be released, often by removing
the name. If absolutely necessary the full description should be withheld. If
the record is open, the description should be open but it must be fair,
accurate and unlikely to cause substantial damage or substantial distress
to a data subject;
Is the information in the public domain already? Information reported from
open court is in the public domain unless it is clear that reporting restrictions
have been imposed and not lifted. However, it may not always be clear from
a court record what was reported at a trial. If the data subject has put the
same information about themselves in the public domain, then archive
services are more likely to be justified in disclosing it. However, the fact that
information was once public knowledge, for example in a localised area and
31
if this happened some time ago, is not of itself a justification for disclosure
by the archive as further distribution may be unfair so a risk assessment is
useful;
Is it likely that release of personal information in a description could cause
distress or damage to the data subject? This applies particularly but not
exclusively to special categories of personal data. It is necessary to
exercise judgement to assess the severity of distress or damage that might
be caused and whether that is fair to the individual.
71. Bodies subject to the FOI Acts may receive a request for personal information
in a closed description, often as a precursor to a request for the information
itself. While there is a duty to confirm or deny that information is held and to
provide that information, an exemption from that duty applies if to do so would
release exempt information.
Access
Communicate / inspect
72. Data protection law does not give third parties rights of access to personal
data. Access to personal data in archives by someone other than the data
subject or the data controller should take place only after assessment of the
likely impact on the data subjects’ right of privacy. It may be impossible until
data subjects are, or can be presumed to be deceased.
73. Archive services should be able to show disclosure of personal data is fair,
lawful and transparent in accordance with Principle (a). Access for scientific
(in its widest sense), historical or statistical research may be possible within
the safeguards. Decisions to allow or refuse access should be explained and
documented so that archive services can demonstrate that they have acted in
accordance with the law and in good faith if similar requests are received.
Requests for access by the data subject themselves should be treated
differently under the data protection law.
Lifespan assumption
Given the large number of individuals commonly featuring in archive collections,
archive services will not be in a position to ascertain whether they are still alive. If it
is not known whether a data subject is alive or dead, the following working
assumptions can be used:
• Assume a lifespan of 100 years;
If the age of an adult data subject is not known, assume that they were 16
at the time of the records;
If the age of a child data subject is not known, assume person was less than
1 at the time of the records.
If the individual is known to be more than 100 years old and still living then
compliance with data protection law is still required. They are entitled to make a
subject access request or to exercise any of their other rights.
32
74. If personal data is held in archives that are subject to FOI, i.e. they are held
by, or on behalf of, a public authority, third parties seeking access to personal
data subject to the Act have the right to be told whether it is held and to be
provided with it, unless an exemption applies. There is a presumption that
information provided to an enquirer under FOI is available to any other
enquirer, i.e. access to one means access to all. The most relevant exemption
in the UK Act is at section 40 and in the Scottish Act at section 38. It requires
archive services to consider whether confirming the existence of the data or
releasing it would breach any of the Principles. If so, the exemption should be
applied. Note that it is not possible when providing access under the FOI Act
to impose any conditions on access to personal data communicated by the
Act.
75. Even where access is not prevented by Data Protection law, other FOI
exemptions may need to be considered also. For example, the exemption at
section 38 of the UK FOI Act and section 39 of the Scottish FOI Act, which
allow information to be withheld if release would endanger the physical or
mental health or the safety of a living individual such as a relative, or the
exemption at section 41 of the UK Act and section 36 of the Scottish Act for
information to which a duty of confidence is owed, may apply.
76. Archive services in public authorities should note that unstructured personal
data in records collections of private origin may fall within the UK FOI Act by
virtue of being held by a public body subject to the UK FOI Act.
25
The position
is different for archive services in public authorities which are subject to the
Scottish FOI Act, where such records are held on behalf of the private person.
Unstructured personal data of private origin held by Scottish public authorities
will fall within the scope of the Act only if ownership has passed to archive
service or its parent body.
77. Access must be lawful. Principle (a) requires personal data to be processed
lawfully and so, even if the Act seems to provide no impediment to access,
other aspects of lawfulness must be considered. Statutes protecting the
confidentiality of personal information must be respected and the right to
respect for private and family life in the Human Rights Act 1998. For example,
the Sexual Offences (Amendment) Act 1992 protects the anonymity of victims
of certain offences during their lifetime. Archive services should check whether
any statutory bars to access apply to personal data they propose to release.
Other common law provisions such as confidentiality remain. A duty of
confidence may attach to particular records, for example health records,
where the consent of the individual is required unless there is an overriding
public interest in disclosure. An individual’s expectation of confidence in their
patient records is such that medical records may not be disclosed until
sometime has elapsed after their death. The information made available must
not be libellous or obscene.
25
Data Protection Act 2018 section 7
33
78. Access must be fair. Note that this is a separate requirement under Principle
(a) to that in order to make use of the provisions for archiving purposes in the
public interest with its safeguard of avoiding substantial distress and damage.
The archiving provisions do not change processing under Principle (a). which
requires data to be processed fairly. In data protection terms, fairness is about
handling personal data only in ways that individuals would reasonably expect
and not using it in ways that have unjustified adverse effects on them. This
will necessitate consideration of the way in which the information was
originally acquired (web archived and published data is much less likely to
have access restrictions due to personal data), its nature and age, and
whether research will make possible the identification of individuals. Fairness
to data subjects is the main concern of the law and the guiding principle when
in doubt about fairness is withhold the data. More guidance about fairness can
be found on the Information Commissioner’s website and detail about third
party access to personal information in an FOI context can be found on The
National Archives and Information Commissioner’s websites. The impact of
disclosure should be assessed, taking into account the following factors:
The nature of the information must be considered. Some personal
information, including some special category personal data, is
comparatively innocuous, some is not. To take medical information as an
example: the simple mention of a person’s broken leg 20 years ago is not
something people would generally feel a need to keep secret, although
context is important. If the information about the broken leg is in a medical
record then the rules around extended expectation of confidence relating
to medical records apply. On the other hand, information about treatment
for a mental illness 40 years ago is still considered by some people to carry
a stigma and hence is not suitable for disclosure. In both cases, the
information is special category of personal data but different judgements
as to the fairness of disclosure can be formed. Likewise a person’s religious
affiliation, which may be obvious from their job title or mode of address -
Imam, Rabbi, Archbishop, etc. At the other extreme, in certain contexts,
disclosing information about someone’s religion could endanger their
physical safety;
The age and context of the information may be relevant. The need to
provide protection generally diminishes over time although in certain cases
the expectation of privacy many decades after an event can also apply.
The age and status of the data subject should also be considered as this
can affect the extent of distress they might feel. Was the individual acting
in a public or official capacity? Criticism of a government Minister by a
colleague in an official file is less likely to be unfair to disclose once
historical than criticism by family members about each other in recent
private email or correspondence;
Genuine information (as opposed to speculation) already in the public
domain because it is a matter of public record should normally be
accessible. An example would be conviction for an offence in a court where
no restrictions on naming the person apply (although note that a court case
file may contain a mixture of information placed in the public domain at the
time of the trial and information that was not made public). Potentially,
sensitive information deliberately made public by the data subject may also
be made accessible. It is impossible to anticipate what research may be
34
done on any particular set of data and how that could be linked to other
data but, if damage or distress to any individual would be a likely
consequence of any research, the data should generally remain closed.
Disseminate publish /online access/exhibition material
79. Careful consideration must be given to personal information in records that
are to be made available online, especially if that information will be exposed
to search engines. Placing personal data on a website, including digitised
copies of manual records, is different from processing paper records for onsite
viewing, by its order of magnitude and greater ease of access. Data or
digitised version of records should not be placed online unless their contents
have been reviewed and it is fair to the data subjects to make the archives
available in this way. It is possible that onsite inspection of paper records is
fair because there is no way of searching by name, whereas online access
would be unfair if there is searchable metadata by name. In that case, those
who come across the index data by using a search engine might not be aware
of the archival context or age of the information.
80. Care is required with photographs, paintings, etc. Even if a photograph is
anonymous in the sense that it is not captioned with names, nor tagged with
names in the metadata, it is still possible that the individual could be identified.
In all cases the likely effect on people of their image being made available
must be taken into account. Bear in mind that photographs are often depict
special categories of personal data: people undergoing medical treatment,
people being arrested, attending trade union demonstrations, etc. Care must
also be taken with records that at first glance would not contain personal data,
for example maps and plans. These may contain the name of the surveyor or
architect, but occasionally they can be annotated with opinions or decisions,
in a manner that may identify living individuals. Some categories of born
digital records may also contain personal data that is not always immediately
obvious, for example, Geographical Information Systems (GIS). These may
contain a layer of personal data that maps individuals, or groups of people that
may be identifiable. Therefore, the same criteria for deciding suitability for
wider access must be applied.
81. Any external contractors employed to undertake imaging and transcription
must be made aware, via the contract, of their responsibilities as a Data
Processor. Digitisation work is sometimes undertaken in countries outside the
European Economic Area. Archive services and contractors must consider
their responsibilities under GDPR Chapter 5. Careful consideration should
also be given when selecting material that contains personal data for an
exhibition. Again, the greater access and attendant publicity around an
exhibition may make it less fair to the individual and may cause them distress.
Similarly, care is required when including material in a book to be published
by the archive service.
Removing access (takedown and reclosure)
82. If it becomes apparent that personal data is available to the public and risks
causing distress to the individuals, archives may wish to consider closing the
data concerned (reclosure or takedown if data is online). Examples include:
35
Because of changed circumstances, information in records previously
opened in good faith is now considered to require closure (e.g. if someone
is alive after 100 years or the information was not highlighted at transfer
or accession as requiring closure);
Where the material contains sensitive personal information about
someone who is still alive and continued public access would be unlawful
or unfair to them under data protection law.
83. When assessing cases, archive services should take into account how long
the information has been in the public domain, whether it is likely to be
available elsewhere, and the public interest in withholding the record from
public access. For FOI authorities, reclosure does not affect the statutory
rights of members of the public to request access to a closed record by making
a request under the FOI Acts.
84. If the archive service’s website allows tagging of catalogue entries or other
content by members of the public, it is important that people adding tags
should be made aware of their responsibilities not to invade the privacy of
living individuals, by drawing potential taggers attention to a terms of use
policy. The archive service will remain the data controller so needs to act on
any instances drawn to its attention.
Responsibilities of users of archived personal data
85. When people obtain copies of personal data from an archive service they
become the data controllers in respect of those copies and must observe the
data protection principles, unless they can claim an exemption, or they are not
covered by data protection law, for example because their processing is for
domestic purposes only, i.e. personal, family or household use. However,
archive services cannot control subsequent use of personal data and it is
advisable to assume that researchers will be subject to the Act, and ethical to
make researchers aware of their responsibilities. Steps to safeguard the fair
and lawful use of data by users of archived records include:
Informing researchers that they are responsible under the GDPR and DPA
2018 for any processing by them of personal data disclosed to them,
including publishing;
Explaining to intending researchers the safeguards that apply to the
research use of particular data;
Requiring researchers to sign a declaration or undertaking that, as a
condition of access to data that might otherwise be closed, they will comply
with the legislation and not identify individuals. Undertaking forms to consult
specific personal data subject to these conditions should be signed and
kept as an audit trail. If researchers are bound by a sectoral code of practice
or particular employer requirements, e.g. guidelines produced by a
university ethics committee, making access conditional on the researcher
undertaking to comply with that as well as with any special conditions
applying to specific sets of personal data. This is particularly relevant if they
intend to publish or to make use of the data for purposes other than
personal or household activities.
36
Annex A Explanation of terms used in this guide
Acquire
The receipt of data and records from an external person or organisation or from
another part of the same organisation. The term represents a transfer of
responsibility and is not necessarily intended to imply that they become the
property of the archives service.
Anonymisation
The masking or removal of personal data from documents. This could be by
redaction so that data subjects can no longer be identified from the information in
a particular document. In a structured digital dataset this could be by removal of
identifiers at record level or additionally by aggregating up the record so that it
refers not to an individual but to all individuals in a particular set, such as a
geographical area. The standard set by the Information Commissioner for
anonymisation is that it should prevent a ‘motivated intruder’ from discovering
information about individuals.
Archives
Materials created or received by a person, family or organisation, public or private,
in the conduct of their affairs and preserved because of the enduring value
contained in them or as evidence of the functions and responsibilities of their
creator, especially those materials maintained using the principles of provenance,
original order and collective control; permanent records. (ISO 16175-1:2010).
Archives may be informal in terms of their format and the ‘business’ to which they
relate: for example, a group of love letters may be created and maintained for ‘the
conduct of...affairs’ of a personal and private nature and in some circumstances
include published material that is being permanently preserved.
Archive Service
A public or private organisation that is responsible for the management of records
selected for permanent preservation for historical purposes and undertakes the
archiving purpose. Some archives services are legal entities in their own right;
other archives services are a function within a larger legal entity. At times archive
services may be organised through a voluntary or community group. Archive
Services will normally have custody of the archives of their own parent
organisation but may also have custody (but not necessarily ownership) of the
archives of other organisations or persons.
Archivist
An archivist is a professionally recognised role fulfilled by a person having
undertaken specific education and training in managing, appraising, preserving
and using original records through time. Archivists work with all forms of records,
including paper documents, photographs, maps, films, and digital records. They
assist a wide range of stakeholders to access and use records.
Closed record
This is a record that is not available for general public access. Note that it may be
possible to provide access to information within the record in response to an FOI
37
request, for example by redacting the record to remove information that should be
withheld, such as information identifying individuals. It may also be possible to
provide access outside FOI to those agreeing to specified restrictions on use and
for data subjects.
(Data) Controller has the meaning given to it in the Regulation.
A controller determines the purposes and means of processing personal data. This
is the person (an individual or other legal person such as a company) who
determines why, as well as how, personal data are to be processed. It is their duty
to ensure that the collection and processing of any personal data within the
organisation complies with the requirements of the Data Protection Act. An archive
service may be a joint controller even if another party such as a depositor retains
some level of control of the data.
(Data) Processor has the meaning given to it in the Regulation.
A processor is responsible for processing personal data on behalf of a
controller.This is any person (other than an employee of the data controller) who
processes the data on behalf of the data controller. Data processors must have a
written contract in which the data controller defines how personal data, including
sensitive personal data, is to be processed and what security measures will be
appropriate. While data controllers maintain overall responsibility for any
processing carried out on their behalf, data processors do have some direct
responsibilities under the GDPR and may be subject to fines or other sanctions if
they don’t comply.
Data Subject
The person who is the subject of the personal data. To count as a data subject the
person must be living and capable of being identified from the data or other data
in or likely to come into the possession of the data controller.
Historical research
Any research done in an archive repository will be “historical” in its widest sense.
Inspection
Disclosure of documents containing personal data to one or more identified or
identifiable natural or legal persons other than the data subject or a data
processor. This includes making documents available for consultation and use,
providing copies or enabling copying of documents, and enabling the interrogation
of documents. (See also Publication)
Manual unstructured data
Manual personal data not held in a structured set. A structured set is accessible
according to specific criteria, whether held by automated means or manually and
whether centralised, decentralised or dispersed on a functional or geographical
basis.
Open record
This is a record that is available for public access on an unconditional basis.
38
Personal data has the meaning given to it in the Regulation.
Any information relating to an identifiable person who can be directly or indirectly
identified in particular by reference to an identifier. This provides for a wide range
of personal identifiers to constitute personal data, including name, identification
number, location data or online identifier. The GDPR applies to both automated
personal data and to personal data contained in (or intended to be contained in)
manual filing systems where personal data is accessible according to specific
criteria. This could include systematically ordered sets of manual records
containing personal data.
Processing has the meaning given to it in the Regulation.
This has a very wide meaning. Passively holding information counts as processing
as well as actively obtaining, recording, using, amending or destroying it.
Pseudonymisation has the meaning given to it in the Regulation.
The process of distinguishing individuals in a dataset by using a unique identifier
which does not reveal their ‘real world’ identity (see ICO Anonymisation code of
practice).
Publication
Disclosure of documents containing personal data to natural or legal persons
without regard to their identity, making them available for consultation and use and
enabling perusal of them. Applies to online digitisation and born digital data sets
and web archives. (See also Inspection)
Records
Information created, received, and maintained as evidence and information by an
organization or person, in pursuance of legal obligations or in the transaction of
business.
Special personal data
The GDPR refers to sensitive personal data as “special categories of personal
data” (see Article 9). The special categories specifically include genetic data, and
biometric data, where processed to uniquely identify an individual. Personal data
relating to criminal convictions and offences are not included, but similar extra
safeguards apply to its processing (see Article 10).
39
Annex B Parliamentary Question reply to what is meant by
the term Archiving Purposes in the Public Interest
We recognise the importance of the permanent preservation of archives for long-
term public benefit by museums, galleries, archives and libraries. The General
Data Protection Regulation (GDPR) and the Data Protection Bill permit such
organisations to process personal data (including sensitive personal data) without
consent, where necessary for “archiving purposes in the public interest”, subject
to appropriate safeguards for the rights and freedoms of data subjects. It also
exempts archiving services from complying with certain rights of data subjects (for
example, rights to access, rectify or erase their data), where the exercise of such
rights would seriously impair or prevent them from fulfilling their objectives.
‘Archiving in the public interestis a new term in data protection law. The Data
Protection Act 1998 made no express reference to it and it is not defined in the
GDPR, but Recital 158 to the GDPR may help to understand it. It says:
“Public authorities or public or private bodies that hold records of public interest
should be services which, pursuant to Union or Member State law, have a legal
obligation to acquire, preserve, appraise, arrange, describe, communicate,
promote, disseminate and provide access to records of enduring public value for
general public interest.” This is likely to apply to a wide variety of community,
private, public sector, charitable/trust and voluntary sector archives. It could also
include archives that may be closed to researchers at the present time, but which
would become accessible at some future date, and archives which are held in
analogue or digital format. The definition would not, however, cover organisations
which gather and use data, information and records purely for their own
commercial gain or that have no enduring public value.
We recognise that concerns have been raised about the reference in the Recital
to archiving organisations being under a ‘legal obligation’ to archive. While this
may reflect the archival system in some other EU member states, it does not reflect
the position in the UK. Many smaller archives, particularly in the private sector, are
unlikely to have any statutory obligations to archive.
We do not think the best approach is to create new statutory duties requiring
organisations to archive. This could force organisations to archive that had no
intention or means of doing so. Instead, we want to reassure bona fide archiving
services that they will be able to continue to process personal data for the
purposes of archiving in the public interest, regardless of whether they have a
statutory obligation to do so. The reasons for this are:
Recitals act as explanatory notes to European regulations and have no direct legal
effect. They may be taken into account by regulators and the courts when
interpreting and applying the law, but they are not the law.
In any event Recital 158 should be read in conjunction with Recital 41 which says
that “where this regulation refers to a legal basis or legislative measure, this does
not necessarily require a legislative act adopted by a parliament”, providing that
such a legal basis is clear and precise and its application is foreseeable to persons
subject to it.
40
In the UK, most archives operate on a permissive basis under the general
provisions of common law or statutory permissive powers, such as the British
Library Act 1972 or the Local Government (Records) Act 1962. It may be open to
organisations to rely on such a basis to satisfy the requirements of Recital 158.
Where there are no clear permissive powers, organisations may still be able to
point to funding agreements, management agreements or constitutional
documents which set out the purposes of the archive, particularly if the failure to
adhere to such purposes could have legal or quasi-legal effects, for example for a
body’s charitable status. Although this may not amount to a statutory obligation to
archive, it would give organisations a legal basis upon which to rely.
Up until now, organisations responsible for archiving may have relied on
exemptions from subject access rights under the ‘historical research’ provisions in
section 33 of the Data Protection Act 1998. These provisions will continue in the
new Data Protection Bill, and have not been abolished by GDPR. Most of the
exemptions from data subjects’ rights in relation to archiving also exist in relation
to historical research. If archiving services cannot confidently rely on the
exemptions for archiving in the public interest, they may be able to rely on
exemptions for historical research as an alternative. We recognise that there is
some debate about this point within the sector because some archives may not
exist for historical research purposes. In that case, a legal basis for archiving will
be needed, but it does not need to be statutory.
https://www.parliament.uk/business/publications/written-questions-answers-
statements/written-question/Commons/2017-11-03/111381/
41
Annex C Main references to archiving in GDPR and Data
Protection Act 2018
GDPR
Recital 158
Where personal data are processed for archiving purposes, this Regulation should
also apply to that processing, bearing in mind that this Regulation should not apply
to deceased persons. Public authorities or public or private bodies that hold
records of public interest should be services which, pursuant to Union or Member
State law, have a legal obligation to acquire, preserve, appraise, arrange,
describe, communicate, promote, disseminate and provide access to records of
enduring value for general public interest. Member States should also be
authorised to provide for the further processing of personal data for archiving
purposes, for example with a view to providing specific information related to the
political behaviour under former totalitarian state regimes, genocide, crimes
against humanity, in particular the Holocaust, or war crimes.
Article 5 Principles relating to processing of personal data
Personal data shall be: ….
(b) collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes; further
processing for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes shall, in accordance
with Article 89(1), not be considered to be incompatible with the initial
purposes (‘purpose limitation’);
(e) kept in a form which permits identification of data subjects for no longer than
is necessary for the purposes for which the personal data are processed;
personal data may be stored for longer periods insofar as the personal data
will be processed solely for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes in
accordance with Article 89(1) subject to implementation of the appropriate
technical and organisational measures required by this Regulation in order to
safeguard the rights and freedoms of the data subject (‘storage limitation’);
Article 9 Processing of special categories of personal data
Processing of personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, or trade union membership, and the processing
of genetic data, biometric data for the purpose of uniquely identifying a natural
person, data concerning health or data concerning a natural person's sex life or
sexual orientation shall be prohibited.
Paragraph 1 shall not apply if one of the following applies:
….
(j) processing is necessary for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes in accordance with
Article 89(1) based on Union or Member State law which shall be proportionate to
the aim pursued, respect the essence of the right to data protection and provide
for suitable and specific measures to safeguard the fundamental rights and the
interests of the data subject.
42
Article 14 Information to be provided where personal data have not been
obtained from the data subject
Where personal data have not been obtained from the data subject, the controller
shall provide the data subject with the following information:
the identity and the contact details of the controller and, where applicable, of the
controller's representative;
the contact details of the data protection officer, where applicable;
the purposes of the processing for which the personal data are intended as well
as the legal basis for the processing;
the categories of personal data concerned;
the recipients or categories of recipients of the personal data, if any;
where applicable, that the controller intends to transfer personal data to a recipient
in a third country or international organisation and the existence or absence of an
adequacy decision by the Commission, or in the case of transfers referred to in
Article 46 or 47, or the second subparagraph of Article 49(1), reference to the
appropriate or suitable safeguards and the means to obtain a copy of them or
where they have been made available.
…….
5. Paragraphs 1 to 4 shall not apply where and insofar as:
the data subject already has the information;
the provision of such information proves impossible or would involve a
disproportionate effort, in particular for processing for archiving purposes
in the public interest, scientific or historical research purposes or statistical
purposes, subject to the conditions and safeguards referred to in Article 89(1) or
in so far as the obligation referred to in paragraph 1 of this Article is likely to render
impossible or seriously impair the achievement of the objectives of that
processing. In such cases the controller shall take appropriate measures to protect
the data subject's rights and freedoms and legitimate interests, including making
the information publicly available
Article 17 Right to erasure (‘right to be forgotten’)
The data subject shall have the right to obtain from the controller the erasure of
personal data concerning him or her without undue delay and the controller shall
have the obligation to erase personal data without undue delay where one of the
following grounds applies:
Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: ….
for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes in accordance with Article 89(1) in so far as the
right referred to in paragraph 1 is likely to render impossible or seriously impair the
achievement of the objectives of that processing
Article 89 Safeguards and derogations relating to processing for archiving
purposes in the public interest, scientific or historical research purposes or
statistical purposes
Processing for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes, shall be subject to appropriate
safeguards, in accordance with this Regulation, for the rights and freedoms of the
data subject. Those safeguards shall ensure that technical and organisational
measures are in place in particular in order to ensure respect for the principle of
43
data minimisation. Those measures may include pseudonymisation provided that
those purposes can be fulfilled in that manner. Where those purposes can be
fulfilled by further processing which does not permit or no longer permits the
identification of data subjects, those purposes shall be fulfilled in that manner.
Where personal data are processed for scientific or historical research purposes
or statistical purposes, Union or Member State law may provide for derogations
from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions
and safeguards referred to in paragraph 1 of this Article in so far as such rights
are likely to render impossible or seriously impair the achievement of the specific
purposes, and such derogations are necessary for the fulfilment of those
purposes.
Where personal data are processed for archiving purposes in the public
interest, Union or Member State law may provide for derogations from the
rights referred to in Articles 15, 16, 18, 19, 20 and 21 subject to the conditions
and safeguards referred to in paragraph 1 of this Article in so far as such
rights are likely to render impossible or seriously impair the achievement of
the specific purposes, and such derogations are necessary for the fulfilment
of those purposes.
Where processing referred to in paragraphs 2 and 3 serves at the same time
another purpose, the derogations shall apply only to processing for the
purposes referred to in those paragraphs
UK Data Protection Act 2018
10 Special categories of personal data and criminal convictions etc data
Subsections (2) and (3) make provision about the processing of personal data
described in Article 9(1) of the GDPR (prohibition on processing of special
categories of personal data) in reliance on an exception in one of the following
points of Article 9(2)
point (b) (employment, social security and social protection);
point (g) (substantial public interest);
point (h) (health and social care);
point (i) (public health);
point (j) (archiving, research and statistics).
The processing meets the requirement in point (b), (h), (i) or (j) of Article 9(2)
of the GDPR for authorisation by, or a basis in, the law of the United Kingdom
or a part of the United Kingdom only if it meets a condition in Part 1 of
Schedule 1.
19 Processing for archiving, research and statistical purposes: safeguards
This section makes provision about
processing of personal data that is necessary for archiving purposes in
the public interest,
processing of personal data that is necessary for scientific or historical
research purposes, and
processing of personal data that is necessary for statistical purposes.
44
Such processing does not satisfy the requirement in Article 89(1) of the GDPR
for the processing to be subject to appropriate safeguards for the rights and
freedoms of the data subject if it is likely to cause substantial damage or
substantial distress to a data subject.
25 Manual unstructured data used in longstanding historical research
The provisions of the applied GDPR listed in subsection (2) do not apply to
personal data to which this Chapter applies by virtue of section 21(2) (manual
unstructured personal data held by FOI public authorities) at any time when
the personal data
is subject to processing which was already underway
immediately before 24 October 1998, and
is processed only for the purposes of historical research, and
the processing is not carried out
for the purposes of measures or decisions with respect to a
particular data subject, or
in a way that causes, or is likely to cause, substantial damage or
substantial distress to a data subject.
Those provisions are
in Chapter II of the applied GDPR (principles), Article 5(1)(d) (the
accuracy principle), and
in Chapter III of the applied GDPR (rights of the data subject)
Article 16 (right to rectification), and
Article 17(1) and (2) (right to erasure).
The exemptions in this section apply in addition to the exemptions in section 24.
41 Safeguards: archiving
This section applies in relation to the processing of personal data for a law
enforcement purpose where the processing is necessary
for archiving purposes in the public interest,
for scientific or historical research purposes, or
for statistical purposes.
The processing is not permitted if
it is carried out for the purposes of, or in connection with, measures or
decisions with respect to a particular data subject, or
it is likely to cause substantial damage or substantial distress to a data
subject.
SCHEDULE 1
SPECIAL CATEGORIES OF PERSONAL DATA AND CRIMINAL CONVICTIONS
ETC DATA
Research etc
4 This condition is met if the processing
is necessary for archiving purposes, scientific or historical research
purposes or statistical purposes,
45
is carried out in accordance with Article 89(1) of the GDPR (as
supplemented by section 19), and
is in the public interest.
SCHEDULE 2 PART 6 DEROGATIONS ETC BASED ON ARTICLE 89 FOR
RESEARCH, STATISTICS AND ARCHIVING
……
Archiving in the public interest
28 (1) The listed GDPR provisions do not apply to personal data processed for
archiving purposes in the public interest to the extent that the application of
those provisions would prevent or seriously impair the achievement of
those purposes.
This is subject to sub-paragraph (3).
For the purposes of this paragraph, the listed GDPR provisions are the
following provisions of the GDPR (the rights in which may be derogated
from by virtue of Article 89(3) of the GDPR)
Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers);
Article 16 (right to rectification);
Article 18(1) (restriction of processing);
Article 19 (notification obligation regarding rectification or erasure
of personal data or restriction of processing);
Article 20(1) (right to data portability);
Article 21(1) (objections to processing).
The exemption in sub-paragraph (1) is available only where the personal
data is processed in accordance with Article 89(1) of the GDPR (as
supplemented by section 19).