In May 2018, the General Data Protection Regulation (GDPR) will replace the 1988 Data Protection Act (DPA). GDPR builds on the DPA and gives ‘data subjects’ (i.e. those whose data is being held) enhanced rights. If your library service collects data about individuals on library management systems, document supply systems, or swipe card access systems, uses social media or cookies on websites, or captures CCTV images, then this applies to you!
6 things to know about GDPR:
- All organisations (or groups of organisations) must identify a named Data Protection Officer (DPO).
- The definition of personal data now includes ‘any information relating to an individual’s… private, professional or public life’ and personal identifiers such as photographs, CCTV images, posts on social media and IP addresses.
- Data subjects have the right to be informed that their data is being processed via a privacy notice which explains the grounds on which data is being collected, who is processing the data, the intended use of the data, the retention period for the data, and their right to complain.
- Data subjects can access, correct and, in circumstances where extreme distress has been caused, erase data. Organisations must respond to requests for access within one month.
- Personal data allowed under GDPR must be portable between organisations, so must not be held in proprietary formats/must be able to be exported to a generic format such as a .CSV file.
What should library services do now?
- Find out who is leading on GDPR in your organisation and prepare for a conversation with them about use of personal data in your library service.
- Do a quick library team audit of all the personal data you keep in relation to the services you provide. For each think: Who (is the data subject), What (data is being processed), Why (is it being processed), Where (is it being stored) and How (is it being used)?
- Think about what privacy notices you might need to cover the data processing requirements for your service. Privacy notices can cover more than one instance of data processing, but it must be possible for users to positively opt-in to each.
- Check your procedure for dealing with access, correction and deletion requests – and update these if necessary.
- Check that personal data you hold is held in or could be converted to a commonly used electronic format.
How can we help each other?
Many of our data processes will be common to all library services. Please reply to this blog post if you have already done GDPR preparation work and have anything you are willing to share (e.g. your audit of data processes or a new privacy statement) or if you have ideas about anything we could usefully do nationally.
Further information on the GDPR can be found on the Information Commissioner’s Office website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ , which also contains an excellent ‘12-steps to consider now’ document (https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf .
Naomi Korn Copyright Consultancy will also be providing advice on this issue at https://naomikorn.com/resources/ under the heading ‘Data Protection Resources’.
NHS Copyright First Responders