Presentation on data protection given at the Community Archives conference 2018 by Jon Elliott (Archives and Records Association) and Jack Latimer (Community Archives and Heritage Group)

1. EU GENERAL DATA PROTECTION REGULATION
GDPR
BASICS FOR COMMUNITY ARCHIVES
J O N E L L I O T T ( AR A)
J AC K L AT I M E R ( C AH G )

2. Starting Point – Differentiate between personal
data in archives and data used operationally
‘Archiving Purposes in the Public Interest’
- Personal data in archives is largely exempted from GDPR so
long it doesn’t fail the ‘substantial damage and distress’ test.
- Virtually all community archives will be able to use this
derogation.
- So DO NOT AMEND, DELETE, HAND OVER, DESTROY OR
REDACT ORIGINAL ARCHIVAL MATERIAL unless a court tells
you to.

3. The exemption does not apply to personal data
you ‘process’ in running your organisation
For example:
- staff and membership lists, with phone numbers, email addresses, etc.
- data subjects in partner organisations, suppliers, clients, etc.
- photos, bank details, health, family or other identifying information
- Signing-in books
- IT’S NOT YOUR DATA
Other common questions:
- GDPR doesn’t cover dead people or those you can assume reasonably are
dead (eg, photo of a woman in 1970 who looks at least 60 years old).
- If people want access to personal data in your archive, offer them a copy.
- if something causes distress (right to erase), close it to public access.
- If something is ‘inaccurate’ (right to correction), put a note in the file.
- If documents contain ‘sensitive personal data’, close them to public access.
- A form that researchers sign accepting their data protection obligations.
- Unsubscribe option on newsletters, etc.

4. GDPR – First Priority – Avoid
Breaches
Tackle The Most Common Problems
- Operational failure: eg, mass copying of emails and not ‘bcc-ing’
emails, attaching documents containing personal data, sending a data
subject’s personal data to someone else by mistake, not having basic anti-
hacking software, sending and receiving ‘work’ personal data from home
emails and home servers, etc.
- Bad records management practice: not password-protecting
documents containing personal data; mixing sensitive data files in with
regular files, not having clear record of what you own and what you don’t.
- Weakest links: giving access to personal data to people, colleagues,
volunteers, etc. who don’t need it: the weakest link in the chain. Limit access.

5. Second Priority – Get organised
• Record, record, record…
• Do you have a website? If so, what and where are
your Privacy Policy, Take-down Policy and Contact
Details?
• Have clear, written retention policies for data
you hold: can be simple, eg how long you are
keeping the five main uses for personal data you hold
and when/what you destroy or keep. And why.
• Implement your policies….

6. Third Priority
• Tell your trustees (if you have them) what you
are doing. Get their approval, eg by
- Defining the simple legal basis you are using to process
personal data
- Doing and recording a simple information audit: what
personal data you hold, why, in what form, where you send it,
how long kept, and physical location?
- Showing how you record consent, ie ‘explicit’; ‘positive
indication of agreement.’ Cannot infer from silence/tick-box.

7. Subject Access Requests (SARs)
• You are unlikely to be able to charge for SARs
• Response timescale: down from 40 days to 1 month
• New option: can refuse a request if clearly excessive
(BUT: you must have credible policies/processes in
place for making such judgements and RECORD
individual decisions)
• New obligation: provide info to data subjects, eg data
retention periods and the right to ‘correction’.
• Think through operational impact.

8. Reporting Breaches
New, universal duty of breach notification
- obligatory to have processes to detect, report and investigate
breaches
- Not all breaches must be reported to ICO: the ‘damage’ test
- But you only have 72 hours for those that must… (won’t
include community archives unless, eg a serious breach of
sensitive personal data)
- Fines: €20 million or 4% of global turnover. BUT ICO have said
that only major breaches by major companies will fall into this
bracket

9. International Transfers
• Unwitting?
- Do you use mailchimp, Facebook, Eventbrite or other sites for
your activities?
- Have you read their privacy statements, eg will data you use
be exported to US servers and thereby out of GDPR
jurisdiction and protection?
- Very important that you cover this

10. Next steps?
• We are working with partners on a Code of Practice: Hope it
will be available end 2018. Aim to cover community archives
• Need to also consider cross-border implications in Ireland
• Training/briefing: ARA will continue to offer briefing sessions
• ARA will keep advocating improvements/interpretations with
governments and regulators.
• Wider impact: new ARA Code of Ethics (2018)
• A hunch: stand by for court cases after 2018…

11. A working example:
what we’ve done about
GDPR
1. We have carried out an audit of the personal data we hold.
We made a list of all the ways in which we collect or store personal data
2. We have updated and documented our personal data policy.
We asked: Do we need each type of data on our list? How long should we keep it?
3. We have deleted unnecessary personal data.
For example: we deleted old booking forms and copies of newsletter subscriptions
4. We have reviewed each process by which we collect personal data to be
sure we are obtaining the right permissions.
For example: we added a checkbox to all website forms, to ensure explicit consent
5. We have provided a method for people to find out what personal data we
hold about them or request to have it deleted.
Our privacy page now has a link to a form for requesting/deleting personal data
6. We have updated our privacy policy and published it on the website.

12. ANY QUESTIONS?
Introducing Community
Archives

13. 1. Do we need to get in touch with all our members/website
contributors to get their consent to keep their contact details
on record?
2. What do we do about the details of dead or living people that
we hold in our archive? For example, in minutes of parish
meetings?
3. If somebody sends us a research request, does that person
need to give consent to us using their personal details in order
to reply?
Three common queries from community archives

14. Further Reading
• ARA advocacy papers to date (hand-outs)
• European Data Protection Supervisor’s blog: dry, but…
https://secure.edps.europa.eu/EDPSWEB/edps/lang/de/EDPS/P
ublications/Blog_1
• The Guardian’s ‘51 Useful Data Protection Resources’:
https://digitalguardian.com/blog/51-useful-data-protection-
resources-blogs-videos-guides-infographics-tools-more
• ICO (UK) blog and ICO guidance notes:
https://ico.org.uk/about-the-ico/news-and-events/news-and-
blogs/?facet_type=Blog&facet_date=&date_from=&date_to=