17 November 2021
Thinking about data protection in digitisation projects
By Stephanie Ashcroft, Consultant and Rights Researcher
Digitisation projects offer a fantastic opportunity for heritage institutions to preserve and share their collections with wider audiences. The national lockdowns and restrictions in recent years, resulting in limited access to research material, exhibitions and outreach programmes, have highlighted the need to increase digital and remote access to our heritage collections.
Before applying for funding for digitisation projects, it is important to consider any data protection issues which may affect your bid and your desired project outputs. Below are a few key issues to consider during the planning stages of your application:
Refresh your data protection knowledge
Data protection legislation exists to protect people’s right to a private life, and to ensure that organisations do not process personal data in a way that could be harmful. ‘Processing’ in this context covers almost any way of using or sharing data about people, including storing digitised copies on servers, creating cataloguing data and other finding aids, filing documentation such as permission forms and correspondence and, of course, publishing, broadcasting and sharing material that contains personal data.
UK data protection law is currently harmonised with EU legislation, through the UK GDPR. Therefore, it is important to keep up to date with training and professional development to ensure your projects remain compliant with the law.
Many organisations will have a dedicated Data Protection Officer, who should be consulted during the planning stages of any funding application.
Check your legal bases for processing data
Current legislation recognises two broad types of data – personal data and special category data.
Personal data includes biographical data, as well as addresses, financial information and images of a living person (also known as the ‘data subject’).
Special category data is more sensitive data – including details of a data subject’s religious and philosophical views, political and trade union activity, sexuality, race and ethnic background, and data around their health.
If you would like to digitise and share collections which include these types of data about living people, your organisation must have the legal grounds (or legal bases) to do so. Many heritage institutions will be able to share data within collections on the grounds of archiving in the public interest. This legal basis recognises the need to keep accurate historical records, with all data kept intact, for their evidential, research and cultural value. Using this legal basis, organisations are able to include personal and special category data in catalogue descriptions and make material available for consultation, providing that safeguards are put in place to ensure this processing is not ‘likely to cause substantial damage or substantial distress to a data subject’. This is explored later in the article.
However if you want to share this type of data more broadly, such as putting it online, you must ask for consent.
You should consult with your Data Protection Officer to confirm which legal bases your organisation can use.
Check your funding obligations
Digitised material will have to be stored on servers, catalogued in content management systems and documentation, such as correspondence and permission documents, will also have to be retained and managed.
Many funding bodies that support digitisation projects in the heritage sector will require all or some of the digitised collections to be shared with the public in some way, including online publication and sharing through exhibitions and outreach programmes. Where material includes personal and special category data, all of these activities are considered as processing under data protection legislation. Therefore, it is important to ensure you have the lawful basis to carry out your project in line with the law, whilst also meeting your funding obligations.
Audit your collections
Some types of collections held in our museums, archives and libraries are more likely to contain personal and special category data than others, for example oral history interviews, diaries, letters, administrative records and some films and photographs.
An audit of your collection will help you understand how data protection legislation might impact on your project. Questions to consider may include:
- Does the material include data about living people? (data protection law protects living people, though some data – particularly health data – may directly or indirectly impact third parties)
- Are there existing permission and/or consent forms in the collection’s supporting documentation? (e.g. oral history participants may have already given permission for the personal data they disclose in interviews to be shared)
- How old is the material you would like to digitise and share? (material over 100 years old is less likely to contain data about living people)
- Has this material been made available before this project? (Personal data that has already been widely made available may pose a lower risk)
- Can you foresee any reason why someone might object to the data in the material being shared? (there could be other reasons why the material could be considered sensitive and not suitable for publication)
This audit will help you to highlight potential issues which may otherwise prevent you from re-using digitised material, and make sure you allocate enough time and resource to complete the project in compliance with data protection legislation.
Develop a safeguarding strategy and allocate resources
If the collections you would like to digitise include personal and special category data about living people you will need to ensure safeguards are in place to avoid causing ‘damage and distress’ to data subjects and breeching data protection law. There is no fixed definition of what constitutes damage and distress, nor is there a uniform way to implement safeguards, so it is important for project staff to develop a strategy with your Data Protection Officer and other stakeholders such as governance boards and legal teams. This could include:
- maintaining a risk register
- creating new policies and processes around how material will be assessed and re-used
- consulting with curators and colleagues with expertise and knowledge of the collections
- conducting sensitivity reviews on material intended to be published
All decision making should be documented and made available for an audit if requested by the Information Commissioners Office.
You will have to decide who will be responsible for carrying out different areas of the safeguarding strategy and work these costs into your funding application. Some questions to consider when developing a strategy may include:
- can risk register maintenance be factored into existing progress meetings throughout the project?
- does your organisation have existing policies around the sharing of personal data and are they suitable for your project and intended outputs?
- are there other stakeholders who can help identify possible sensitivities in your collections?
- could sensitivity reviews be conducted during digitisation or cataloguing stages?
This is a brief introduction on how to factor data protection into your project planning. For more information about how copyright applies to the heritage sector, including copyright exceptions and orphan works, check out our free resources here.
For information about our consultancy, training and rights clearance services please check here.
Have you heard about the Data Protection Toolkit for Archives? The toolkit is a free resource for archive service staff involved in providing access to personal data found within an archive service’s collections. It provides a structured approach to decision-making and offers helpful checklists, forms, and templates that can be adapted and used within archive services.
The resource was commissioned by The National Archives, delivered by Naomi Korn Associates in collaboration with an advisory group of archivists. You can request to access the free toolkit here.
© Naomi Korn Associates, 2021. Some Rights Reserved. The text is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)
Disclaimer: The contents of this blog post are based on the assessment of Naomi Korn Associates Ltd at the time in which the resource was created (November 2021). The contents should not be considered legal advice. If such legal advice is required, the opinion of a suitably qualified legal professional should be sought.