The following information is derived from guidance on archives and data protection law in the UK, issued by The National Archives
Data protection is not new. For the previous twenty years the UK archives sector followed the 1998 Data Protection Act without significant issue using guidance from the Information Commissioner and a code of practice aimed at archivists and records managers. The Data Protection Act 1998 has been replaced by The Data Protection Act 2018 (DPA 2018). This results from new legislation in the EU: the General Data Protection Regulation (GDPR). The DPA 2018 makes additional provisions around areas not covered by GDPR.
Under the new legislation personal data must be processed for a specified purpose, and kept for no longer than that purpose requires. Individuals have greater rights over their data, including the so-called 'Right to be forgotten'. However, the law recognises there is a public interest in permitting the permanent preservation of personal data for the long-term benefit of society. In general, 'archiving' which complied with the 1998 Data Protection Act will continue to be permitted under the new law. There are some changes affecting archiving but they are not drastic. The guiding principle remains the same, namely that record creators and archive services can continue to process personal data in their collections for archiving purposes in the public interest, scientific research, historical research or statistical purposes but should not cause substantial distress or substantial damage to the person whose data is being archived. Organisations can refuse to comply with a request for erasure of an individual's personal information if the information is held under the guiding principle outlined above.
Inevitably archive collections contain personal information about people's public and private lives, but the purpose of archiving is primarily to maintain this information for use over the very long-term, when the potential for impact on individuals is low or non-existent. Care must be taken to ensure that over-cautious or inaccurate interpretation does not lead to the weeding, anonymising or destruction of files containing personal data that would otherwise be passed to an archive service with managed access over time. The law contains the necessary safeguards to permit archiving. Archiving will normally be in the public interest, serving the public good and not be purely for personal or corporate interest and private gain.
Archiving should be distinguished from long-term, but finite, retention of records to support current business or legal requirements (e.g. for pension purposes). Archiving should not be confused with sending records to cheaper offsite storage or moving data from a live system. The term archiving is sometimes used this way in computing to mean storing data in offline systems. If personal data or records containing the information are being kept solely for a defined current business or legal purpose and the intention is to destroy them after that has been finished, this does not constitute archiving in the public interest.
The specific sections of GDPR which refer to archiving are detailed below (relevant sections in bold).
Article 5 of the GDPR states that personal data must be:
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Article 9 states that special category data (ie sensitive data eg relating to race, sexuality, health, beliefs, etc) can only be processed under strict conditions including:
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
The GDPR introduces a new 'right to be forgotten', under Article 17, which could potentially result in the deletion of an individual's data at their request. However this is not an absolute right, and there are exemptions, notably:
The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
All three articles (5, 9 and 17) therefore provide explicit permission for data controllers to continue to preserve records intact, and transfer them to a public archive such as Surrey History Centre when they are no longer needed for their original purpose.
The rights of data subjects to withdraw consent to the processing of their data, or request the correction or erasure of information contained in records selected by Surrey History Centre for archiving in the public interest are also limited. For example, we will endeavour to correct factual inaccuracies brought to our notice and verified in a way that does not compromise the integrity of the records but we will not return or erase data
However, archives (alongside all data processors) must try to avoid causing substantial damage or distress to data subjects in the manner in which we process their personal data, and therefore we will continue to use closure periods to restrict public access to potentially sensitive personal data, where appropriate, although the data subject themselves will still have a right of access. Please see our access to records policy for more information.