The General Data Protection Regulation – why we need to act and how we can help each other!

In May 2018, the General Data Protection Regulation (GDPR) will replace the 1988 Data Protection Act (DPA). GDPR builds on the DPA and gives ‘data subjects’ (i.e. those whose data is being held) enhanced rights. If your library service collects data about individuals on library management systems, document supply systems, or swipe card access systems, uses social media or cookies on websites, or captures CCTV images, then this applies to you!

6 things to know about GDPR:

  1. All organisations (or groups of organisations) must identify a named Data Protection Officer (DPO).
  2. The definition of personal data now includes ‘any information relating to an individual’s… private, professional or public life’ and personal identifiers such as photographs, CCTV images, posts on social media and IP addresses.
  3. Data subjects have the right to be informed that their data is being processed via a privacy notice which explains the grounds on which data is being collected, who is processing the data, the intended use of the data, the retention period for the data, and their right to complain.
  4. Data subjects can access, correct and, in circumstances where extreme distress has been caused, erase data. Organisations must respond to requests for access within one month.
  5. Implied consent is no longer allowed. Individuals must opt in to their personal data being held. Statements such as ‘if you continue to use this website then you accept our cookie policy’ are not permissible.
  6. Personal data allowed under GDPR must be portable between organisations, so must not be held in proprietary formats/must be able to be exported to a generic format such as a .CSV file.

What should library services do now?

  1. Find out who is leading on GDPR in your organisation and prepare for a conversation with them about use of personal data in your library service.
  2. Do a quick library team audit of all the personal data you keep in relation to the services you provide. For each think: Who (is the data subject), What (data is being processed), Why (is it being processed), Where (is it being stored) and How (is it being used)?
  3. Think about what privacy notices you might need to cover the data processing requirements for your service. Privacy notices can cover more than one instance of data processing, but it must be possible for users to positively opt-in to each.
  4. Check your procedure for dealing with access, correction and deletion requests – and update these if necessary.
  5. Check that personal data you hold is held in or could be converted to a commonly used electronic format.

How can we help each other?

Many of our data processes will be common to all library services. Please reply to this blog post if you have already done GDPR preparation work and have anything you are willing to share (e.g. your audit of data processes or a new privacy statement) or if you have ideas about anything we could usefully do nationally.

Further information on the GDPR can be found on the Information Commissioner’s Office website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ , which also contains an excellent ‘12-steps to consider now’ document (https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf .

Naomi Korn Copyright Consultancy will also be providing advice on this issue at https://naomikorn.com/resources/ under the heading ‘Data Protection Resources’.

David Watson
NHS Copyright First Responders

Report from CILIP Privacy Briefing: Things to know and do

CILIP held a Privacy Briefing on 28th November focusing on issues relating to Privacy, particularly in the light of changing data regulation including the General Data Protection Regulations due to come into force in UK law in 2018.

The sessions highlighted the professional obligations of Library and Information professionals in relation to privacy as well as exploring some ways in which libraries, archives, and other bodies where tackling privacy and data protection issues.

My more extensive notes on the day are on the Yorkshire and Humber LKS Wiki but a  summary of actions is below:

Five things LKS professionals should know:

  • The position of the European Convention on Human Rights, and CILIP in relation to privacy rights.
  • How your service handles its customer’s personal data
  • How any third parties (eg: LMS suppliers) handle your customer’s personal data
  • How to balance the customer’s right to privacy with the practical need to deliver the service in the customer’s interest (have you explored the tension, and can you justify the decisions and resulting practices?)
  • Who you can turn to within your organisation for advice in this area.

Five things LKS professionals should do:

  • Review your service’s practice in relation to customer’s personal data and document processes and procedures
  • Undertake a Privacy Impact Assessment using the above data to identify what changes you need to make to ensure your processes are the best they can be
  • Challenge your practice as an information professional with privacy in mind
  • Consider how you can educate your users in relation to privacy (eg: online)
  • Advocate for privacy and contribute to CILIP’s Ethics Review

Dominic Gilroy
NHS LKS Development Manager (Yorkshire and Humber)

STEP e-learning modules now available!

As you know, we’ve been developing a suite of literature searching modules for you to use as part of the information skills training you offer.

We are delighted to announce that the first three modules are now available from https://www.e-lfh.org.uk/programmes/literature-searching/

‘Building the Foundations’ includes three modules to enable users to assess their current level of skill in literature searching, find out more about the resources available to them and get started planning a search.

Module 1 Introduction to searching
Module 2 Where do I start searching?
Module 3 How do I start to develop a search strategy?

Please feel free to place these links on your websites use the attached flier to promote the modules.

The next three modules on ‘Developing the Skills’ will be launched later this year and ‘Applying the Skills’ modules will be available in early 2018.

Attached are some FAQs about the modules which you may find helpful.

If you require further information, please contact the project leads:

Tracey Pratchett, Knowledge and Library Services Manager, Lancashire Teaching Hospitals NHS Foundation Trust tracey.pratchett@lthtr.nhs.uk
Sarah Lewis, Library Services Manager, Buckinghamshire Healthcare NHS Trust sarah.lewis@buckhealthcare.nhs.uk