Workbook on Digital Private Papers > Legal issues > Data protection

Data protection

Most personal archives, digital or otherwise, will contain personal data that is subject to the provisions of the Data Protection Act 1998 (c29). Depositors or donors may wish to make specific contractual agreements regarding the confidentiality of some, or all, of the material placed in an archive. There is also the privacy of third-parties represented in the archives to consider. Privacy and confidentiality concerns will affect both how digital materials can be managed within the preservation repository and how and when they can be made accessible to researchers.

The Data Protection Act 1998 (c29)

The Data Protection Act 1998 (DPA) seeks to enable individuals and organisations with legitimate reasons to process personal data to do so whilst protecting the interests of the individuals that the data concerns. The legislation is underpinned by eight principles, which are laid out in Schedule 1 of the Act. Part of the schedule lists the principles; Part 2 contains an interpretation of the principles:

The Data Protection Principles

Personal data shall be:

  1. Fairly and lawfully processed.
  2. Processed for limited purposes.
  3. Adequate, relevant and not excessive.
  4. Accurate and up to date.
  5. Not kept longer than necessary.
  6. Processed in accordance with the individual's rights.
  7. Secure.
  8. Not transferred to countries outside European Economic area unless the country has adequate protection for the individual.

Section 33 - Exemption for research, history and statistics

Archival practice would seem to contravene some of these principles, but the provision of the 'Research, history and statistics' exemption in section 33 of the Act allows personal data to be stored indefinitely as archives for research purposes provided that 'relevant conditions' are met:

The terminology of the Act

The basic interpretative provisions are set out in Section of the Act.


The act applies only to personal data relating to a living individual who can be identified by those data, or by those data in conjunction with other information that is available. The data covered by the Act includes both facts and opinions about the individual. Personal data may be:


In addition to defining the data covered by the Act, the legislation also defines the actors:


The term 'processing' is used in the Act. This covers all actions that might be taken in relation to information or data; this includes obtaining, recording, holding and carrying out operations with it.


The DPA requires the data controller to notify the Information Commissioner of all processing operations involving personal data. This 'Notification' process is set out in Part III of the Act and the Information Commissioner's Notification Handbook.

Codes of practice

Section 51 (4) of the Act provides that the Information Commissioner may encourage trade associations to prepare and disseminate codes of practice which the Information Commissioner deems to promote good practice. The current Code of Practice for Archivists and Records Managers under Section 51 (4) of the Data Protection Act 1998 was drafted by the then Public Record Office, the Society of Archivists and the Records Management Society. It contains generic guidance, applicable in most organisations, together with sections devoted to the effect of the Act on the functions and activities associated with the work of Records Managers (Part 3) and Archivists (Part 4).

The code is currently being revised and a draft is available from the Society of Archivists.

The data subject's right to access

Section 33(4) stipulates that personal data processed only for research purposes is exempt from Section 7 of the Act, which establishes the data subject's right of access.

Freedom of information and data protection

The Information Commissioner oversees both the Freedom of Information Act 2000 and the Data Protection Act 1998. The provisions of the two acts must be considered together when a request to disclose personal information is received.

Data protection and digital archives

If digital archives are accessioned earlier than paper archives have been in the past, then archives could potentially be subject to the provisions of the Data Protection Act for much longer while they are being managed by an archival repository. This is because the Act covers personal data about living individuals. Repositories may therefore find themselves managing a significant number of collections which are closed to researchers and could come under pressure from historians of the contemporary period to release items. The processes involved in acquisition, appraisal and cataloguing should identify data protection issues so that they can be managed appropriately.