By Jess Pembroke, Director of Information Law Services
I had the privilege of delivering in person training to two groups of Archivists recently, it reminded me that archiving personal data is more than just storage—it’s about preserving knowledge and unlocking historical insights which are hugely valuable. Archives ensure that vital information remains accessible and secure over time, serving legal, operational, strategic and research needs as well as fulfilling professional standards.
Beyond compliance, well-structured archives provide a foundation for innovation. Historical data can offer unique perspectives, contribute to research, and drive informed decision-making.
A common misconception is that data collected for one purpose cannot be archived or reused for another, such as research. However, under the UK GDPR (General Data Protection Regulation), in some cases data can be retained for archiving purposes in the public interest, scientific or historical research, and statistical purposes—even if originally gathered for a different reason. This flexibility allows organisations to preserve valuable information while still adhering to data protection laws.
Key Principles of Data Archiving
To archive data effectively, organisations should adhere to the following principles:
1. Data Minimisation vs Value
While data minimisation is crucial for reducing risks and costs, it’s also important not to be overly cautious to the point of losing valuable information. Some data may serve a significant public interest, whether for historical records, research, accountability, or transparency. Retaining certain types of data—especially those that contribute to public knowledge, support future innovation, or provide insight into societal trends—can be just as important as deleting unnecessary information.
Striking a balance between minimisation and responsible retention is key. Instead of discarding data too quickly, organisations should consider the potential long-term value of information. This could include records related to public safety, government decision-making, scientific research, or corporate accountability. In some cases, retaining data for analysis, reporting, or historical documentation can have far-reaching benefits beyond immediate business or regulatory needs.
2. Retention Policies
Establishing clear retention policies is essential for effective data management. These policies should define how long different types of data should be kept, ensuring compliance with legal, regulatory, and business requirements. Archived data, in many cases, can be retained for longer periods (including indefinitely) a, making it a valuable resource for historical reference, audits, or future insights.
Understanding and adhering to retention requirements not only helps maintain compliance with data protection laws but also ensures that data is securely disposed of when it is no longer needed. A well-structured retention policy strikes a balance between minimising unnecessary data and preserving information that holds long-term value, reducing risks while maintaining operational efficiency.
3. Accessibility
Archived data should remain accessible and readable over time. Organisations should consider migrating data to new formats or systems as technology evolves. What steps does your organisation take to ensure researchers and other stakeholders can access historical data when needed? Are you digitising your records and what will be the impact of this?
4. Access to Archived Data
When granting researchers access to archived material, organisations need to consider several factors to balance accessibility with data protection:
- Legal and Ethical Considerations: Ensure that providing access aligns with data protection laws and ethical guidelines. Researchers should justify their need for the data and comply with any restrictions.
- Anonymisation and Data Masking: Where possible, anonymise or pseudonymise data to protect individuals’ identities while still allowing meaningful research.
- Access Controls and Permissions: Implement strict access control mechanisms, granting permissions only to authorised researchers. This may include multi-factor authentication or signed agreements outlining the terms of use.
- Data Usage Agreements: Require researchers to sign agreements that specify how the data can be used, shared, and stored to prevent misuse.
- Monitoring and Auditing: Keep logs of who accesses archived data and regularly review access permissions to ensure compliance with security policies.
Enhance Your Understanding of Data Protection
For those looking to deepen their knowledge of data protection in the context of archives, museums, and libraries, consider attending the Data Protection Law for Archives, Museums, and Library Collections course which can be delivered in house to your archive.
This half-day course provides practical insights into UK GDPR, the Data Protection Act 2018, and their application to archival and museum records. Participants will gain valuable knowledge on legal bases, exemptions, and security considerations while earning CPD accreditation.
Alternatively, the next online date for the Data Protection Law for Archives, Museums, and Library Collections course is 16 July 2025. Book your place for £195+VAT here: https://www.eventbrite.co.uk/e/1046722594457