Data protection guidance
Informal guidance for researchers consulting archives containing information covered under the Data Protection Act 2018 and General Data Protection Regulation 2018.
The data protection principles
- Personal data shall be processed lawfully and fairly.
- Personal data shall be obtained only for one or more specified, explicit and legitimate purposes, and shall not be further processed in any manner incompatible with that purpose.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose for they are processed.
- Personal data shall be accurate and, where necessary, kept up to date; inaccurate data must be erased or rectified without delay.
- Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Material transferred to Archives and Special Collections is held as an archive for the purposes of historical research under Schedule 6, Part 6, Paragraph 27.
- Organisations whose material may be held here are prohibited under the Act from reactivating files in order to make decisions concerning an individual, even where they retain ownership of the material. Information may be used for historical/reference/evidential purposes, but reactivating a file (i.e. using it for another purpose from that for which it is currently held) is illegal.
- Personal data means any information relating to an identified or identifiable living individual (this may be a name, identification number, location data, online identifier).
- Processing data can include collecting, recording, organising, structuring or storing; adapting or altering; retrieving, consulting or using; disclosing, disseminating or making available; restriction, erasure or destruction.
- Under the Data Protection Act 2018, a researcher is responsible for any personal data concerning living individuals taken away from Archives and Special Collections, for example, notes, research data, photocopies, digital images.
- The data subject means an individual who is the subject of personal data, i.e. the individual whom particular personal data is about. The Act and Regulations do not count as a data subject an individual who has died or who cannot be identified or distinguished from others.
- Special category data refers to more sensitive information (including race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation), which must have more protection.
Provision for research use of personal data
Article 89 of the Regulations allows archive repositories to retain and hold personal data indefinitely and for a different purpose, i.e. research, from that for which it was created.
Article 9 of the Regulations (The Data Protection (Processing of Sensitive Personal Data) Order 2000) gives the circumstances in which sensitive personal data may be processed. Adherence to these conditions will also permit the researcher the same rights with respect to her/his subsequent use of data taken from Archives and Special Collections, provided that data is used for the purposes of research, history and statistics. The conditions are:
- That the data are not processed to support measures or decisions with respect to particular individuals.
- That the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.
Archives and Special Collections grants researchers access to material available for general access provided they sign in on arrival to confirm that they will comply with this Data Protection guidance and statement. When we provide information in the form of copies where the user is not physically present, we will either supply a copy of this statement with the copies or include a link to this document on our website.
Researchers’ responsibilities regarding data
Not to cause substantial damage or distress (defined by the National Archives as financial loss or physical harm, and a level of upset or emotional or mental pain that goes beyond annoyance or irritation) to data subjects e.g. by making publicly available special category data. This is the overriding principle that should guide the researcher’s use of personal data.
Not to use the data to support measures or decisions concerning an individual.
Anonymise identities when note-taking whenever possible. This reduces the risks and effort attendant in the subsequent use/reuse of a researcher’s notes. If the results of research or any statistics are not made available in a form which identifies individuals then this will also exempt the researcher from the data subjects’ right of access to their personal information. In deciding when it is appropriate to use/publish personal information, consider:
- Is the individual still alive? Even if the individual is deceased, consideration should be given to family members who may still be alive and be identifiable from the information, or to other duties of confidentiality other than Data Protection considerations which may apply.
- Is the individual a public figure? (this may mean that information is more likely to be in the public domain, is less sensitive, or that its publication is more likely to be in the public interest).
- Does the information belong to a sensitive category of information as defined by the Act? The researcher may need to acquire permission from the data subject to publish if s/he doesn’t anonymise.
- As well as anonymising names, be mindful of context, and other information in the public domain, which may identify an individual as clearly as giving a name: e.g. “Disciplinary Hearing: Headmaster, Borsington School, 1978”. Anonymisation is not perfect – an anonymised person of a particular ethnicity living in a certain postcode might be identifiable if it is a small place.
Holding a data set
Under Article 30 of the Regulations the University is obliged to hold a record of processing activity and datasets.
When members of staff or students extract personal information from the archives and hold it elsewhere (hard drive, their Z:Drive, R:Drive or X:Drive) this creates a new data set and the University’s Records Manager, David Jenkins, must be informed so that it can be added to the register.
Researchers external to the University need not contact our records manager, although may be required to register their activity with their employer.
Transfer of data outside of the EEA
Personal data should not be transferred outside the EEA unless certain conditions are met.
Overall points to remember
- The Act only concerns the personal data of living individuals. The data may be in manual (paper) or electronic format and includes images (any means by which an individual is identified).
- Don’t cause substantial distress or damage to the individuals whose data have been seen, used or held.
- Don’t use the material to make or support decisions or measures that will affect data subjects.
- Keep any personal information held secure (protect it from unauthorised access or transfer).
- Anonymising names/personal details is good practice and the safest way to avoid an infringement of the Act. Anonymise as early as possible in the use of the data.
- Sensitivity generally diminishes over time.
- The researcher is liable for the personal data they take away and the subsequent use they make of it.
Further guidance on the Act can be found on the Information Commissioner’s website.