Myths Associated with the GDPR

By Charles Oppenheim, Senior Consultant, Naomi Korn Associates


Photo by Dennis Kummer on Unsplash

No doubt every reader of this blog post will have received emails asking them to confirm they still wish to receive mailings, because of changes to the law introduced by the EU’s General Data Protection Regulation and coming into effect on May 25th 2018.  I suspect in the vast majority of cases, these emails were not needed.  Too many organisations are assuming GDPR means a massive change to their obligations, when in fact the changes introduced by GDPR to UK data protection law are modest.  Organisations must make changes to the way they operate as there are more obligations to report serious data breaches, the maximum fines for breaches of the law have gone up, there is a need to build in “privacy by design” into operations, Privacy Impact Assessments are required, and many organisations need to appoint a nominated Data Protection Officer.  But when it comes to the lawfulness of processing data, relatively little has changed.  So, advice or instructions such as “all personal data must be deleted from emails”, “you must delete someone’s records if they have not responded to your requests to confirm twice”, “you must delete all records of people who have resigned”,  “delete all electronic records, but manual records are OK”, “you are obliged to ask for permission before you can hold someone’s personal data” and the like (and I’ve seen all these, and more) are, quite simply,  nonsense.

So let’s get the facts about when you may process, i.e., obtain, record, manage, structure, store, amend or delete, or disseminate personal data correct – and as I say, the law has hardly changed in this regard.  There are six – yes, six – reasons why you are allowed to process personal data.  Any one of them or more than one will be enough reason for an organisation to be allowed to process personal data.  The six reasons, listed in Article 6 and explained in Recitals 28 – 50 of the GDPR are:

  1. The data subject has given their explicit consent – the one everyone seems to be hung up about. Permission should be explicit and unambiguous – with clear opt in preferences recorded and initiated. The fact that this has not necessarily been respected is why so many organisations are panicking now.
  2. The processing is necessary for the performance of a contract to which the data subject is a party – so, for example, if someone subscribes to a magazine, the publisher and/or distributor needs the subscriber’s details to send them.
  3. The processing is necessary for compliance with a legal obligation to which the controller is subject.
  4. The processing is necessary to protect the vital interests of the data subject – e.g., health records, so medical and dental practices do not need to ask for permission to keep patient records, for example.
  5. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
  6. The processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, unless such interests are over-ridden by the interests of the data subject.

Number 6 is the reason that is most likely to apply to organisations, rather than number 1.  Thus, for example, a membership organisation can keep records of lapsed members so it can subsequently analyse why it is losing them (“we seem to be losing a lot of under-40s – maybe we should improve our appeal to them” is an example.) The law states that personal data should not be kept longer than is necessary, and of course that is a rather vague restriction, but organisations should be aware of how long they should keep records, e.g., for tax reporting purposes.

So please, everyone, don’t panic about the GDPR, and don’t buy into the myths.  Having said all that, one good thing about the many emails coming your way is that it gives you a good excuse to not answer, or to reply saying you no longer wish to receive communication from the organisation, and thereby stop getting bombarded with emails and marketing stuff you’re not really interested in.  A question is whether, after May 25th, organisations really do delete you from their mailing lists!

(c) Naomi Korn Associates, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is available under a CC Zero Licence

Museums and their GDPR data protection obligations

Picture12Prior to the implementation of GDPR across the UK (transposed into UK law as the Data Protection Act 2018), I wanted to address some questions that I have been asked during my recent training sessions, although the majority of these issues would have been the case already under the Data Protection Act 1998.

1.Should personal data be added to the ‘brief description’ field in a collections database as particularly if this appears on a museum’s online collections website?

It depends on what it is and also the functionality of the collections database. So, for example, if the object was an army identity card or belonged to a specific person for a specific reason already in the public domain, then reproducing this information online would unlikely cause distress to the individual. If the information was a name and an address, then the possible reproduction of this personal data may not be readily available and should not be made accessible. Remember that personal data is information about a living identifiable individual, however, even if an individual is dead, they may have relatives still living at the same address.

2. On our current Entry forms and loan forms we ask for names and addresses, phone numbers of donors/ depositors/ lenders which we store indefinitely as the information is important for our objects’ provenance. What sort of wording should we include on our forms to make sure we comply with the new regulations and that it is clear to the general public how we will use their data? 

Collecting this type of personal information is vital for the functioning of a museum and depending upon the circumstances and governance/funding of the museum, this type of processing will be covered under any one of several legal grounds for processing (legitimate interests, public interest, contractual). The forms should include a statement that the information will be used only for the purposes for which it is collected, a possible consent box if you plan to share it (with other museums if lending the item out) and/or other internal purposes and as well as link to your privacy notice. Your privacy notice should clearly articulate what you are doing with personal data, why etc. See our privacy notice for further information

3. What do we need to do with historical data we hold for acquisitions/ loans/ disposals and deposits?

Most, if not all of this information should be kept in perpetuity and reflected in your retention schedule. Because of the quantity of personal data processed by museums and the range of activities, retention schedules need to reflect statutory, regulatory obligations as well as policy decisions.

4. How will GDPR effect collections management systems (i.e. collections databases) that also store personal data described above?

Your collections management systems need to be configured to enable restrictions regarding what you hold and what you subsequently publish. So, your collection management systems should serve your needs, rather than you adjusting your needs according to your collection management systems. They also need to provide functionality for you to amend and rectify your records, respond to data subjects who may want personal data amended and/or deleted. It will be important that you liaise with your collections management system vendor accordingly, and also to check that they are compliant with their data protection obligations as your data processor

5. If someone refuses to give us permission to store their name, address etc. relating to an acquisition or a loan is there anything we could do or would we just have to refuse to take the objects?

Collecting this type of information is vital for a museum in order to comply with other statutory, regulatory and policy requirements. For example, Accredited museums must comply with specific standards of practice. Data protection legislation dove-tails into this existing framework, and the museum should think very carefully indeed about this before proceeding any further because it may then fall foul of other legal etc obligations it has.

6. What exactly can be recorded in our ‘visitors Book’?

Because the book is public – names, addresses, e-mails, phone number etc should not be collected. This is more certainly more than a museum needs, and also means that a museum would have increased obligations to any data subjects (individuals whose personal data you are storing) upon their request, to provide information about what they are storing, amend it, delete it etc. The less information that is held the better. So, a museum should consider why it needs to collect all this information. It is very likely that the most valuable bits are the comments and the country of origin of the individual, and/or first 3 letters of a postcode – which would likely be enough to fulfil a museum’s requirement but not be enough to constitute “personal data”.

Any more data that is collected whereby an individual could be identified, should be reflected in the museum’s privacy statement, a notice provided next to the book explaining how the info will be used and form in plain English ensure that such information is captured on a consent basis. Finally, the museum should ensure it stipulates how long such data is stored on a retention schedule.

7. My volunteers fill in Volunteer Application forms when they start with us – which includes giving an email address and phone number. I have previously taken this as consent for me to phone them or email them (generally only about volunteering at the museum). To be compliant do I now need to get in touch with them all to get specific consent to contact them by these means?

Legal grounds for processing would probably be established for this type of use (legitimate, public interest, contractual, vital etc) – but it will important to ensure the following:

  • Any other sharing or use (including sharing with other volunteers etc), must be established on a consent basis.
  • This information must be kept safe, like any other personal information.
  • A retention schedule should be used to record how long this information is kept for.
  • Your privacy notice must refer this type of data collection.
  • Subsequent agreements with volunteers should link to your privacy notice and also ensure that they take the necessary measures to comply with their own data protection obligations, such as encrypted devices, not sharing personal data etc
  • Your volunteers should be trained about data protection and their awareness levels kept high

8. Do museums need to check that suppliers they use are GDPR compliant? 

Yes, this is their legal obligation. They need to have robust contractual terms in place accordingly, and if they cannot do so, they should consider using someone else. This means that eventually, as part of a museum’s commitment to a “privacy by design” culture, they need to ensure that their procurement processes, their project initiation procedures etc, embed this consideration into the heart of their organisational culture.

(c) Naomi Korn Associates, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is available under a CC Zero Licence

Going back to School?

By Carol Tullo, Senior Consultant

The Bookshop and Lottery Agency of Jan de Groot in the Kalverstraat in Amsterdam, Isaac Ouwater, 1779

The Bookshop and Lottery Agency of Jan de Groot in the Kalverstraat in Amsterdam, Isaac Ouwater, 1779. Photo credit: Rijksmuseum.


The experience of running some Naomi Korn Associates workshops in recent months has been instructive in so many ways!  Helping a range of schools –  principals, teachers, office managers, bursars, Heads of IT and governors –  to familiarise themselves with the GDPR changes opened my eyes to the complex ecosystem of school communities.  I was struck by how seriously schools took their responsibilities for handling personal data.  The Department for Education published on April 23, a GDPR  Toolkit:

I was involved in the discussions and early drafts with DfE and, while no substitute for tailored help, this toolkit covers the basics and provides useful reassurance for each school to assess its preparations.  DfE outlines a sequence of activities that will help schools to identify and monitor their use of personal data, undertake the necessary processes for auditing and assessing risk, and assist in compiling policies to ensure schools can sustain compliance.  Mirroring the training approach from NKCC, each step is structured to provide the intended outcomes, a suggested ‘how to’ approach, top tips, case studies, and links to relevant resources.  It does not constitute formal legal guidance, and as a data controller, each school is ultimately responsible for its own data protection procedures and compliance with legislation.

My favourites of the top tips in this official guidance:

I would add that if you have started, but not yet completed your journey to compliance, consider a GDPR readiness statement explaining where you are and what you have done.  It all builds confidence.

With the publication of this guidance, an informal consultation exercise will run until Friday 1 June 2018. The initial feedback gathered will be used to inform a revised version. The guidance will be a living document and will be refreshed once the Data Protection Bill is finalised. Comments are welcome so provide feedback to with the subject heading “GDPR toolkit feedback”.  DfE asks that if your comments refer to specific content in the document, please reference the page number(s) to identify the area to which you are referring.  Keep the conversation going as we all work collaboratively to deliver this.

Naomi Korn Associates will be running a Data Protection Officer training course for schools, Tuesday 2 October, at the Imperial War Museum, London. For more information please email

(c) Naomi Korn, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is CCO, sourced from Rijksmuseum.



By Yvonne Morris, Consultant


Triumvirate Assuming Power in the Name of the Prince of Orange, 21 November 1813
Jan Willem Pieneman
Photo credit: Rijksmuseum


Data Protection law is changing on 25 May 2018 and organisations big and small, public, private and third sector, will have to comply with the new legislation.  In this blog post I answer some of the questions Naomi Korn Associates has been receiving from small businesses and clubs about the steps they need to take to ensure General Data Protection Regulation (GDPR) compliance.

Are clubs and small businesses (e.g. Bridge Club, Dog Training, Dancing Classes) covered by data the new GDPR regulations?

Yes they are! If you are processing EU resident’s personal data, the GDPR applies to you.  The ICO’s 12 Step Guide will help you to prepare:

I run a monthly book club for 20 people, we do not have a web site but I keep an e-mail list so I can let people know about the next meeting. There is no fee for attendance.  Do I need to do anything?

At the heart of the GDPR are the six principles that should be applied to any collection or processing of personal data and these are a good place to start.  If you are keeping an e-mail list and contacting the people on it you are processing personal data, and that data must be:

  1. processed lawfully, fairly and transparently
  2. collected for specified, explicit and legitimate purposes
  3. adequate, relevant and limited to what is necessary for processing
  4. accurate and kept up to date
  5. kept in a form such that the data subject can be identified only as long as is necessary for processing
  6. processed in a manner that ensures appropriate security

So you need to consider whether, for example, you are keeping the email addresses longer than you need to – do all 20 regularly attend, or have some people not attended for years?  Are you getting bounce backs?  Is the personal data secure?

You also need to identify your lawful basis for the processing activity. There are 6 lawful bases under GDPR and one of these is consent. Maybe you got consent each time someone gave you their email address?  If you did, be aware that GDPR sets a high standard for consent and if you can’t meet it, you will need to refresh. Was there a positive opt-in, not a pre-ticked box, and do you have evidence of consent – who, when, how, and what you told people?

If the answer is “no” and refreshing is going to be difficult do not worry, look for a different lawful basis; one to consider is “legitimate interest”.

Broadly speaking “legitimate interest” means that personal data can be processed where there is a genuine and legitimate reason and the rights and interests of the person whose personal data is being processed are not being harmed.

If your legitimate reason for keeping emails is to fulfil your objective of running a book club and not for any other purpose, and its legitimate to assume that people who have shared their contact information with you want to attend so need to be kept informed of meeting dates, then this could be your lawful basis.

However, you must ensure that:

  • You state that legitimate interest is your lawful basis on your Privacy Notice. More about Privacy Notices below.
  • It’s easy for people to opt out of receiving emails from you.

How should I make my GDPR actions clear to clients if I don’t have a web site?

You can make your clients aware of your Privacy Notice through a variety of media:

  • Orally – face to face or when you speak to them on the telephone (a script is advisable for the latter and in both instances, document that the privacy information was given)
  • In writing – printed media; printed adverts; forms, such as financial applications or job application forms.
  • Through signage – for example an information poster in a public area.
  • Electronically – in text messages; in emails; in mobile apps.

I have a web site – what sort of Privacy Notice should I have? 

All Privacy Notices must be understandable, accessible, and written in plain language.

Under GDPR there are certain things the Privacy Notice must contain, including:

  • The identity and contact details of the company and the Data Protection Officer (if required under GDPR to appoint one)
  • The reasons for processing personal data and the legal basis for doing so
  • Categories of personal data being processed
  • Sources of the data
  • Who it might be disclosed to
  • Details of where it might be going in the world
  • How long it’s kept for
  • If customers are legally or contractually required to provide it and the consequences if they refuse
  • Details of any profiling
  • Information on the right to lodge a complaint with the Regulator

The ICO has produce this useful checklist:

I just keep names and addresses of the students who come to my Bridge classes on my computer – I give out the spreadsheet of names and addresses to the students so they can meet up between lessons and practice. 

Stop sharing the names and addresses immediately unless the necessary consent is in place. Remember, GDPR sets a high standard for consent; were the students made aware that their data would be shared in this way? If they were, did they opt-in to this?  If they did, did you keep a record?  And remember, to be GDPR compliant, the personal data stored on your computer must be kept secure.

I’m a personal trainer/ gardener/ cleaner and don’t have a web site but I keep some notes of my clients on 6 x 4 cards – there is no contract between myself and these clients – do I need to do anything? I keep their phone numbers on my mobile phone

GDPR applies to these hard copy records as well as to the numbers on your mobile phone. The personal information in the notes and on your phone must be kept secure. If you haven’t had any business off a client for a while, you need to justify holding on to their personal data (see the six GDPR Principles).  And you need to identity your lawful basis for processing your clients’ data, which will require segmenting your client list.  If there is no contract between you and Client X – and remember, contracts don’t have to be in writing, it can be an oral agreement which meets the requirements of contract law – you cannot rely on contract as your lawful basis, but if potential Client Y asks you for a quote, you can.

You also need to be mindful of the rights individuals have when you process their personal data:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

So, for example, if a client asks you to erase their personal data, deleting a number from your mobile is quite straightforward, but are you confident you can locate the notes you hold about them and delete what is required?  And how would you deal with a Subject Access Request?  There is more information about the right to erasure and the right to access on the ICO’s website. 

I offer dancing classes to children and adults – are there additional things to consider when processing the children’s data?

Yes. Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved. The ICO states that:

“If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind”.

They have produced this useful guide:

(c) Naomi Korn, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is CCO, sourced from Rijksmuseum.

Shedding Light on #GPDR

Bright, Beatrice, 1861-1940; Seascape

Seascape, Beatrice Bright
Photo credit: Doncaster Museum Service

With less than 3 weeks to go until #GPDR becomes law across Europe, we wanted to take some steam out of the scare-mongering and shed some light on some of the more ridiculous myths we have been hearing about the forth coming changes to the data protection legislation, and return again to our top tips to help you move forward.

1. GDPR is brand new

No its not. In the UK, we have the Data Protection Act 1998. The General Data Protection Regulation (GDPR) is an uplift on existing data protection laws. In fact, the current laws are not damp squibs at all. The Information Commissioner (ICO), was able to secure a search warrant to enter the premises of Cambridge Analytica with further action pending under the current data protection legislation. Companies who have broken the existing data protection laws are already being named and shamed on the ICO website. GDPR harmonises data protection laws across the EEA (European Economic Area) which will make it much easier to regulate bad business practices across the Digital Single Market, through a more joined up approach between European regulatory bodies and increased fines.

2. GDPR can be solved easily with new IT systems and/or consent forms

No it cannot. Its much more intrinsic than that. Apart from increasing accountability, transparency and the rights of data subjects, the aim of GDPR is to encourage a “privacy by design” culture. This means that every single organisation who is processing personal data, will need to consider what they are doing, why and on what basis before their new projects begin. They need to document their decisions, ensure that all staff know what their responsibilities are, develop suitable policies, create procedures for dealing with data breaches and subjects access requests (SARs) etc. This is means that GDPR is all about changing behaviours, leading to international cultural change to ensure that commoditisation of personal data without consent as well as poor business practices will not be tolerated.

3. Everyone must be compliant by 25 May

This is probably impossible for several reasons:

a. The Data Protection Bill 2018 is still going through parliamentary procedure and as of the time of writing, it still has to enter the Report Stage in the House of Commons. Certain aspects have still to be confirmed such as the age of consent for online use, the exemptions and whether public funded organisations, such as National and Local Authority funded museums and libraries will be defined as “hybrids” in order to benefit from the legitimate interests grounds for processing.

b. Compliance with the new data protection legislation is a journey, according to the ICO. This means that the end destination will be full compliance, but to be honest, the Data Protection Act 1998 has been so badly ignored, that there is a considerable journey ahead for most organisations. ICO want you to demonstrate that you have started it, and their 12 Step Guide is a very good way to begin, but this is about systemic cultural change, which takes time.

Top Tip #1: Don’t be scare-mongered about GDPR. It’s a step up from current data protection laws, and there is no magic bullet. The Data Protection Act 2018 is about embedding long term systematic “privacy by design” processes and policies within organisations. There is no ICT system that solves it!

Top Tip #2: You can bring together your external compliance obligations in one place. For example, your privacy notice should clearly state why you are collecting personal data etc. It can be published online with your copyright notice which explains what your position is on copyright, and stating what users to your website can do with your content.

Top Tip #3: Data Protection responsibilities can be linked to broader safe guarding responsibilities towards children, vulnerable adults etc

Top Tip #4: Data Protection laws apply to print and digital forms of personal data. Know what you have, why and where it is stored. Decide if you should keep it or not, and if so, make sure you plan how you keep it safe.

Top Tip #5: If you can’t find a legal justification for processing personal data, delete or destroy. Otherwise it’s your risk.

Top Tip #6: The new Data Protection laws are a great opportunity to spring clean your personal data and/or reconnect with people with whom the personal data you hold on them belongs.

Top Tip #7: Make sure you understand your obligations as a Data Controller when others are processing your personal data on your behalf. Always ensure you use robust contractual agreements between you and your data processors.

Top Tip #8: Think holistically about how you can embed “Privacy by Design” into everything you do. Your existing policies like social media, ICT & HR can usefully be amended to cover your Data Protection obligations.

Top Tip #9: Embed clear guidance about data protection into staff awareness & engagement. its everyone’s responsibility.

Top Tip #10: Map out your next steps to be complaint with the Data Protection Act 2018 in an action plan comprised of short, medium and long term actions and who will take them forward. You won’t be able to do everything at once, but you can start your journey sensibly whilst committing to long-term organisational change.


(c) Naomi Korn, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is (c) Doncaster Museum Service, sourced from Art UK, and available under a Creative Commons Attribution Licence.

Meet Lisa Goldsmith and Yvonne Morris


NKCC is delighted to welcome Lisa Goldsmith who has joined us as a consultant specialising in data protection, and Yvonne Morris who has joined us as a consultant specialising in data protection and copyright.

Lisa Goldsmith has extensive experience within the education, professional/membership body and charity sectors. She is currently Head of Digital Development & ICT at a young people’s charity where she is responsible for GDPR, data management, digital developments and ICT. Lisa has developed her skills and experience through different positions within charities and SMEs where she has provided extensive advice, guidance and practical implementation of GDPR, data management, business analysis, digital solutions and digital communications.

Lisa has a BSc(Hons) in Web Development and a MBA in Information Systems Management which she graduated with Distinction. In addition to this, Lisa is Prince2 and ITIL Foundation qualified, a GDPR Practitioner, a member of the British Computer Society (BCS), a Fellow of the Institute of Administrative Managers and a committee member of the BSC Data Management Specialist Group. Lisa was shortlisted for the Rising Star category of the Women in IT Awards in 2018.

Lisa Goldsmith: “I’m really excited to be working with Naomi and the wider team. I’m looking forward to utilising my skills to help others and equally to learn from my well established colleagues. It’s an absolute privilege to be working for NKCC, a highly regarded organisation who are leading experts in their field.”

Yvonne Morris is a Chartered Librarian with a strong interest in the development of professional policy in the library, information and cultural heritage sectors.  A Policy Officer at the Chartered Institute of Library and Information Professionals (CILIP), Yvonne’s wide ranging portfolio includes copyright, open access, research data management, e-lending, professional ethics and equalities. Prior to joining CILIP, Yvonne was an Information Officer at the Chartered Institute of Marketing. She started her library and information career at the National Council for Civil Liberties, before moving to the London School of Economics Library and then to the University of Brighton.

Yvonne has been Secretary of the Libraries and Archives Copyright Alliance (LACA) since 2010 and worked closely with former Chair Naomi Korn to bring about much needed reform to UK copyright law in 2014.

Yvonne attended Keele University where she studied Sociology and Criminology. She also holds a Law degree from the University of London, and Masters degrees in Information Studies (Brighton) and Social Policy (Bristol).

Yvonne Morris: “Delighted to have joined a team of such recognised and respected information law experts, and very much looking forward to working alongside them to support our clients in the fulfilment of their legal compliance requirements”.

Naomi Korn: “Lisa and Yvonne joining NKCC, brings new talent to a growing group of extremely experienced consultants. I am thrilled to welcome them on board as we embark upon new initiatives and project work”.


A Picture Tells a Million Copyright Stories


I met my good friend Karen, at the unveiling of the Dame Millicent Fawcett sculpture in Parliament Square London and Patrick, our Project Manager took this photo. The type of photo that we take all time. I wanted to use this photo to briefly unpick some copyright issues related to ownership, ethics, licensing and the use of the copyright exceptions – finishing with a bitter sweet flourish of an ending – all in time for World IP Day.

The artist Gillian Wearing was commissioned to create a sculpture of the Suffragist, Millicent Fawcett. Her sculpture is in the background of this photo. Gillian Wearing would be the automatic owner of the copyright in the sculpture, unless her commissioning agreement transferred these rights. At the base of the sculpture, Gillian has engraved the portraits of over 50 women and men – the unsung heroes of the campaign. We knew about this months ago because Gillian asked us to help research the rights in some of the more tricky ones. Over 50 photos, each required research and where possible rights clearance to ensure that the voices of all the individuals owning any rights that still persisted, could be heard. The relationship between copyright and ethics is the important force that drives us to do the right thing because we know it is right, not just because we are told it is right.

However, these are not the only rights contained in the sculpture, Millicent is holding up the words: Courage Calls to Courage Everywhere – her words, the words she used, the words that become a symbol of a struggle won, and struggles we continue to try and win now.

Patrick took the photo. Its a great photo and I asked him to take it for this blog. Its part of all the great things he does for us, and under the copyright legislation, Naomi Korn Copyright Consultancy Ltd would automatically own the rights in the photo. Crediting Patrick is not a legal requirement, but I think that it is ethically the right thing to do.

Like in many situations, copyright is not the only legal issue to consider. I asked Karen if it would be ok to use this photo online and she said yes. Under the Data Protection Act 1998, to be updated shortly by the Data Protection Act 2018 (GDPR), this is important. Photos of living identifiable individuals would be regarded as personal data, and this type of use would require permission.

So, how can we use this image of this website? There are a number of exceptions to copyright which would be relevant:

  • Incidental inclusion;
  • Reproducing an art work permanently located in premises open to the public (Freedom of Panorama);
  • Quotation.

These exceptions are UK specific and this is a blog published on an international publishing platform. Without harmonized copyright exceptions globally, or even across Europe, copyright exceptions are limited and users lack rights. On World IP Day, the lack of harmonized user rights is glaring.  Data and content must be able to move freely for a flourishing society and economy. Words and images, even when peoples are disenfranchised as Millicent and her fellow Suffragists and Suffragettes demonstrated have impact, they shape and change the world. Today, the legislation (and our own ethical backbones) need to interface to create a framework that finds the right balance between control and access, privacy and accountability.

In 1882, the Married Women’s Property Act, transferred all the property (including the copyright), from a woman to her husband upon marriage. Millicent married in 1867, and all her copyright, including the copyright in anything she would have written, would have passed to her husband. He died in 1884. For a short period of time, Millicent would not have owned anything, including the words she wrote. We must make sure that whether its our words, or the words of others, we can use these freely to change the world.

(c) Naomi Korn, 2018. Some Rights Reserved. This article and the accompanying photo, can be reused under the terms of a Creative Commons Attribution Share Alike Licence. Any re-use of the photo will require separate permission from the individuals appearing within.