22 May 2018

Museums and Their GDPR Data Protection Obligations

Prior to the implementation of GDPR across the UK (transposed into UK law as the Data Protection Act 2018), I wanted to address some questions that I have been asked during my recent training sessions, although the majority of these issues would have been the case already under the Data Protection Act 1998.

1.Should personal data be added to the ‘brief description’ field in a collections database as particularly if this appears on a museum’s online collections website?

It depends on what it is and also the functionality of the collections database. So, for example, if the object was an army identity card or belonged to a specific person for a specific reason already in the public domain, then reproducing this information online would unlikely cause distress to the individual. If the information was a name and an address, then the possible reproduction of this personal data may not be readily available and should not be made accessible. Remember that personal data is information about a living identifiable individual, however, even if an individual is dead, they may have relatives still living at the same address.

2. On our current Entry forms and loan forms we ask for names and addresses, phone numbers of donors/ depositors/ lenders which we store indefinitely as the information is important for our objects’ provenance. What sort of wording should we include on our forms to make sure we comply with the new regulations and that it is clear to the general public how we will use their data? 

Collecting this type of personal information is vital for the functioning of a museum and depending upon the circumstances and governance/funding of the museum, this type of processing will be covered under any one of several legal grounds for processing (legitimate interests, public interest, contractual). The forms should include a statement that the information will be used only for the purposes for which it is collected, a possible consent box if you plan to share it (with other museums if lending the item out) and/or other internal purposes and as well as link to your privacy notice. Your privacy notice should clearly articulate what you are doing with personal data, why etc. See our privacy notice for further information https://naomikorn.com/privacy-policy/

3. What do we need to do with historical data we hold for acquisitions/ loans/ disposals and deposits?

Most, if not all of this information should be kept in perpetuity and reflected in your retention schedule. Because of the quantity of personal data processed by museums and the range of activities, retention schedules need to reflect statutory, regulatory obligations as well as policy decisions.

4. How will GDPR effect collections management systems (i.e. collections databases) that also store personal data described above?

Your collections management systems need to be configured to enable restrictions regarding what you hold and what you subsequently publish. So, your collection management systems should serve your needs, rather than you adjusting your needs according to your collection management systems. They also need to provide functionality for you to amend and rectify your records, respond to data subjects who may want personal data amended and/or deleted. It will be important that you liaise with your collections management system vendor accordingly, and also to check that they are compliant with their data protection obligations as your data processor

5. If someone refuses to give us permission to store their name, address etc. relating to an acquisition or a loan is there anything we could do or would we just have to refuse to take the objects?

Collecting this type of information is vital for a museum in order to comply with other statutory, regulatory and policy requirements. For example, Accredited museums must comply with specific standards of practice. Data protection legislation dove-tails into this existing framework, and the museum should think very carefully indeed about this before proceeding any further because it may then fall foul of other legal etc obligations it has.

6. What exactly can be recorded in our ‘visitors Book’?

Because the book is public – names, addresses, e-mails, phone number etc should not be collected. This is more certainly more than a museum needs, and also means that a museum would have increased obligations to any data subjects (individuals whose personal data you are storing) upon their request, to provide information about what they are storing, amend it, delete it etc. The less information that is held the better. So, a museum should consider why it needs to collect all this information. It is very likely that the most valuable bits are the comments and the country of origin of the individual, and/or first 3 letters of a postcode – which would likely be enough to fulfil a museum’s requirement but not be enough to constitute “personal data”.

Any more data that is collected whereby an individual could be identified, should be reflected in the museum’s privacy statement, a notice provided next to the book explaining how the info will be used and form in plain English ensure that such information is captured on a consent basis. Finally, the museum should ensure it stipulates how long such data is stored on a retention schedule.

7. My volunteers fill in Volunteer Application forms when they start with us – which includes giving an email address and phone number. I have previously taken this as consent for me to phone them or email them (generally only about volunteering at the museum). To be compliant do I now need to get in touch with them all to get specific consent to contact them by these means?

Legal grounds for processing would probably be established for this type of use (legitimate, public interest, contractual, vital etc) – but it will important to ensure the following:

• Any other sharing or use (including sharing with other volunteers etc), must be established on a consent basis.
• This information must be kept safe, like any other personal information.
• A retention schedule should be used to record how long this information is kept for.
• Your privacy notice must refer this type of data collection.
• Subsequent agreements with volunteers should link to your privacy notice and also ensure that they take the necessary measures to comply with their own data protection obligations, such as encrypted devices, not sharing personal data etc
• Your volunteers should be trained about data protection and their awareness levels kept high

8. Do museums need to check that suppliers they use are GDPR compliant? 

Yes, this is their legal obligation. They need to have robust contractual terms in place accordingly, and if they cannot do so, they should consider using someone else. This means that eventually, as part of a museum’s commitment to a “privacy by design” culture, they need to ensure that their procurement processes, their project initiation procedures etc, embed this consideration into the heart of their organisational culture.

(c) Naomi Korn Associates, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is available under a CC Zero Licence