“Yes, yes”, you may be thinking, “we know about the Data Protection Act!” However, this legislation is about to be replaced by the General Data Protection Regulation (GDPR), a regulation by which the European Commission intends to strengthen and standardise data protection for organisations and individuals within the European Union. It also addresses the tricky topic of exporting personal data outside the EU.
“That’s all very good, but what about Brexit?!” we hear you cry… Well, we’ll not be making any political statements on that one, but as we all know, Article 50 hasn’t been triggered yet, and some theorise that even when it is, the UK’s withdrawal from the EU may be a much lengthier process than has been indicated up ‘til now. It is likely to still be ongoing after the required date for implementation of the GDPR. The EU Council and the Parliament both adopted the regulation in April 2016, and the regulation will take effect after a two-year transition period, on 25 May 2018. The new regulations will be stricter than our current Data Protection Act 1998 (DPA), and museums and organisations already struggling with the current DPA may find the stringent requirements of this new legislation very difficult…
So, here’s what you need to know. The current legislation is the DPA, an Act of the UK Parliament which lays down the law on the processing of data relating to identifiable living people. The DPA regulates the use of ‘personal data’ and defines eight data protection principles. The definition of personal data is data relating to a living individual who can be identified a) from that data; or b) from that data and other information in the possession of, or is likely to come into the possession of, the data controller. In this regard, ‘data’ means information which a) is being processed by automated means; b) is recorded for processing by such equipment; c) is recorded with the intention of being part of a relevant filing system; d) does not fall within a), b) or c) but forms part of an accessible record; or e) is recorded information held by a public authority and does not fall within any of a) to d).
So information that is held on computer is data. It does not need to be properly filed. Data is also information recorded on paper if you intend to put it into a computer. This includes handwritten notes that will later be typed using a computer. Do you have CCTV in your museum? Recorded footage is data too.
The Freedom of Information Act 2000 created a new category of data which extended the definition of data in the original DPA. Where information requested under FOI includes information about identifiable individuals, public authorities must consider whether its release would breach the DPA. The new category of data, often referred to as ‘category e) data’, is designed to ensure that before releasing any personal information under FOI, public authorities consider whether this would be fair. If it is deemed to be unfair, a public authority is within its rights to refuse to comply with the FOI request but should explain its reasons for this.
The Privacy and Electronic Communications Regulations (PECR) sit alongside the DPA. They give people specific privacy rights in relation to electronic communications. This does not replace but is supplementary to the DPA. In the PECRs, there are specific rules on marketing calls, emails, texts and faxes; cookies (and similar technologies); keeping communications services secure; and customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings. For more information on this make sure you visit the Information Commissioner’s website.
We’ve all heard about cases of public officials leaving confidential information on the train or in taxis. How you transport data is as much a part of data security as ensuring permissions are accurate for marketing purposes. Bear in mind that anyone with free software could even recover between 30% and 90% of ‘deleted’ files from a memory stick or similar device, so be sure to dispose of data contained in mobile storage using secure deletion software.
The GDPR creates the ability for regulators to impose huge fines on organisations for compliance failures. In 2015, the Information Commissioner’s Office, the UK regulator for the DPA, handed out its largest fines under the UK’s current legislation for unsolicited marketing. They can fine organisations up to £500,000, and it is rare to see fines of less than six figures. The most serious offences involve children’s and vulnerable adults’ data, inclusive of photography. The GDPR strengthens this type of enforcement, and infringements of the basic principles of processing ‘including conditions for consent’ can be subject to the highest level of fines, which may be the higher of €20m or 4% of total worldwide turnover of the preceding financial year. For museums, it’s probably safe to assume that the higher of these two will be €20m but that is still not insignificant, so there are therefore twenty million very good reasons for getting yourself ready.
It’s probably best to use the remainder of 2016 to get yourself completely up-to-speed with the law as it stands at the moment – this will help you transition to the new regulations much more fluidly, which you could use 2017 to work towards. There’s a great little quiz over at museuminfo-records.org.uk which will test your knowledge of the law as it stands. We’re here to help if you have any general questions but we can’t give out legal advice – we would recommend contacting a data protection specialist if you need any professional advice on your specific operations. The main takeaway from this though… You have time: don’t panic.