Workbook on Digital Private Papers > Legal issues > Data protection
Data protection
Most personal archives, digital or otherwise, will contain personal data that is subject to the provisions of the Data Protection Act 1998 (c29). Depositors or donors may wish to make specific contractual agreements regarding the confidentiality of some, or all, of the material placed in an archive. There is also the privacy of third-parties represented in the archives to consider. Privacy and confidentiality concerns will affect both how digital materials can be managed within the preservation repository and how and when they can be made accessible to researchers.
The Data Protection Act 1998 (c29)
The Data Protection Act 1998 (DPA) seeks to enable individuals and organisations with legitimate reasons to process personal data to do so whilst protecting the interests of the individuals that the data concerns. The legislation is underpinned by eight principles, which are laid out in Schedule 1 of the Act. Part of the schedule lists the principles; Part 2 contains an interpretation of the principles:
The Data Protection Principles
Personal data shall be:
- Fairly and lawfully processed.
- Processed for limited purposes.
- Adequate, relevant and not excessive.
- Accurate and up to date.
- Not kept longer than necessary.
- Processed in accordance with the individual's rights.
- Secure.
- Not transferred to countries outside European Economic area unless the country has adequate protection for the individual.
Section 33 - Exemption for research, history and statistics
Archival practice would seem to contravene some of these principles, but the provision of the 'Research, history and statistics' exemption in section 33 of the Act allows personal data to be stored indefinitely as archives for research purposes provided that 'relevant conditions' are met:
- Data is not processed to support measures or decisions relating to particular individuals.
- Data is not processed in such a way that substantial damage or substantial distress, is or is likely to be, caused to any data subject. s.31(1).
The terminology of the Act
The basic interpretative provisions are set out in Section of the Act.
Data
The act applies only to personal data relating to a living individual who can be identified by those data, or by those data in conjunction with other information that is available. The data covered by the Act includes both facts and opinions about the individual. Personal data may be:
- Digital data: data that are, or are intended to be, processed automatically.
- Data in a 'relevant filing system': data in a manual filing system that are not processed automatically, but are structured in such a way that information relating to a particular individual is readily accessible.
- Accessible data: these data include medical, social work and school pupil records, and are governed by provisions established in other legislation (see Section 68 and Schedule 12 of the Act).
- Unstructured personal data held in manual form by a public authority: the Freedom of Information Act 2000 (FOIA) extended the definition of data to include all information recorded by a public authority. See Part VII of the FOIA for amendments to the DPA.
Actors
In addition to defining the data covered by the Act, the legislation also defines the actors:
- Data subjects: a data subject means the individual who is the subject of the personal data. Data subjects have a number of rights under the Act:
- The right to access personal data (Section 7 of the Act).
- The right to prevent processing likely to cause damage or distress (Section 10).
- The right to prevent processing for direct marketing (Section 11).
- Rights in relation to automated decision-taking (Section 12).
- The right to compensation for failure to comply with certain requirements (Section 13).
- The right to rectification, blocking, erasure and destruction (Section 14).
- The right to ask the Information Commissioner whether the Act has been contravened (Section 15).
- Data processors: a data processor means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. A data processor normally acts under contract and could be an offsite storage facility.
- Data controllers: the data controller, normally the Chief Executive or Board, determines the purposes and the manner in which any personal data are processed. Under section 18 of the Act, the data controller has a responsibility to notify the Information Commissioner of the processing of personal data.
- Data protection supervisors: section 23 gives the Secretary of State power to make provision whereby a data controller must appoint a data protection supervisor to independently monitor the data controller's compliance with the Act. Most universities, councils and large corporate organisations have voluntarily appointed data protection officers.
- Information Commissioner: Part VI of the Act establishes the role of the Information Commissioner, an independent official appointed by the Crown to oversee the Data Protection Act 1998. The Information Commissioner is also responsible for the Freedom of Information Act 2000 and the Environmental Information Regulations 2004.
Actions
The term 'processing' is used in the Act. This covers all actions that might be taken in relation to information or data; this includes obtaining, recording, holding and carrying out operations with it.
Notification
The DPA requires the data controller to notify the Information Commissioner of all processing operations involving personal data. This 'Notification' process is set out in Part III of the Act and the Information Commissioner's Notification Handbook.
Codes of practice
Section 51 (4) of the Act provides that the Information Commissioner may encourage trade associations to prepare and disseminate codes of practice which the Information Commissioner deems to promote good practice. The current Code of Practice for Archivists and Records Managers under Section 51 (4) of the Data Protection Act 1998 was drafted by the then Public Record Office, the Society of Archivists and the Records Management Society. It contains generic guidance, applicable in most organisations, together with sections devoted to the effect of the Act on the functions and activities associated with the work of Records Managers (Part 3) and Archivists (Part 4).
The code is currently being revised and a draft is available from the Society of Archivists.
The data subject's right to access
Section 33(4) stipulates that personal data processed only for research purposes is exempt from Section 7 of the Act, which establishes the data subject's right of access.
Freedom of information and data protection
The Information Commissioner oversees both the Freedom of Information Act 2000 and the Data Protection Act 1998. The provisions of the two acts must be considered together when a request to disclose personal information is received.
Data protection and digital archives
If digital archives are accessioned earlier than paper archives have been in the past, then archives could potentially be subject to the provisions of the Data Protection Act for much longer while they are being managed by an archival repository. This is because the Act covers personal data about living individuals. Repositories may therefore find themselves managing a significant number of collections which are closed to researchers and could come under pressure from historians of the contemporary period to release items. The processes involved in acquisition, appraisal and cataloguing should identify data protection issues so that they can be managed appropriately.
