This blog is part of a series comprising a set of primers that address ten complex legal and ethical issues encountered when providing access to born-digital archival records. The guidance is grounded in two foundational beliefs: 1. There is a potential to harm individuals, communities, and institutions if access is not thoughtfully and strategically viewed through an ethical and legal lens; and 2. It is not ethical to restrict access unnecessarily. For more information see: https://osf.io/ketr7/.
The General Data Protection Regulation (GDPR) is a European Union (EU) law governing personal data and digital privacy related to persons living in the EU and European Economic Area (EEA). The regulation was created in 2016 in order to give individuals control over their personal data and governs data collection, use, sharing, and retention. It was implemented in 2018, and applies to all businesses operating within the EU, or doing business there (including non-European organizations holding this personal data outside Europe). GDPR places the responsibility for data collection and retention with organizations, and makes those organizations culpable in the event of a data breach.
This includes data collected by applications such as website cookies, as well as personally identifiable information (PII) including names, addresses, and photos. Because GDPR concerns the data of any EU resident (citizen or not), and is applicable to companies or organizations doing business in the EU if they are storing patron information, US-based archives must be mindful of how they are maintaining information and providing access to data. Additionally, some U.S. states are considering implementing laws similar to GDPR. GDPR also presents challenges to academic libraries in the US, particularly if they collect digital materials that include individuals living in the EU or if their online systems use software such as cookies to collect user data.
Most likely to come up in
Collections or datasets that may hold data about EU residents, including:
- Private collections
- Email archives
- Web and social media archives
- Business data in customer relations management (CRM) systems (mailing lists, non-credit course or event attendee information, etc.)
- Enterprise Content Management systems (ECM)
- Student records and associated management systems
- Enterprise content management systems
- Library databases and portals
- Management systems for higher education athletics
Actions for the institution to take
Communicate with the donor or individual transferring material regarding third party data in the collection.
Seek releases where possible from third parties whose data may be in the collection.
Develop a release form/deed of gift/purchase agreement that articulates that identifying data subject to GDPR is the donor’s responsibility. (1)
Consider conducting a Data Protection Impact Assessment per the European Commission Guidelines. (2)
Create a workflow for removal or removal policy that provides guidelines to address potential third party data.
Actions for the archivist to take
Maintain consistent project documentation including destructions that occur due to third party requests.
- Workflow and documentation for seeking releases from individuals found in collections
- Workflow/process for digital destruction of archival materials and records.
- Workflow/process for documenting records without release
- Privacy clauses for front-facing websites
- Workflow/process for take-downs and removal
Within the EU, archives must be in compliance with GDPR. If an organization is doing business with EU residents or citizens, the laws also apply to organizations outside of the EU if customer/researcher/patron data is being stored.
If third party storage is being used, we recommend working with the digital security office or IT, to make certain the storage space meets institutional and digital preservation security protocol. Records may be transferred outside of the EU, but only to entities using approved storage methods with mandatory disclosures to people whose data may be released.
“Data” is a very broad term under GDPR, pertaining to data about or belonging to individuals, making identifying data subject to the law difficult to identify and deal with. This can bring up several ethical considerations for institutions dealing with collections in which GDPR might apply:
- Must an archive return any data that does not belong to the Donor?
- Can it ethically provide access?
- GDPR specifically addresses the right to be forgotten; should an individual be notified if there is data about them in an archival collection? The current guidance, in the UK at least, is to restrict access to data belonging to individuals that have not given their consent; however, this was being ruled on by Parliament at the time of this summary.
Briston, Heather. “Contracts, Intellectual Property, and Privacy.” In The Digital Archives Handbook, edited by Aaron D. Purcell. Lanham: Rowman & Littlefield, 2019.
Community Archives and Heritage Group. “Community archives and GDPR.” April 18, 2018. Available at: https://www.communityarchives.org.uk/content/resource/community-archives-gdpr
European Union General Data Protection Regulation (GDPR). Available at: https://gdpr.eu/tag/gdpr/
GDPR Associates. “How does GDPR affect email retention and archiving?” August 14, 2018. Available at: https://www.gdpr.associates/gdpr-affect-email-retention-archiving/
State of California Department of Justice. California Consumer Privacy Act (CCPA). Available at: https://oag.ca.gov/privacy/ccpa
The United Kingdom National Archives. “Archives and GDPR: frequently asked questions.” Available at: https://www.nationalarchives.gov.uk/archives-sector/legislation/archives-data-protection-law-uk/gdpr-faqs/
Primary Author of this section: Camille Tyndall Watson
Co-Authors: Jessika Drmacich, Kate Dundon, Jess Farrell, Christina Velazquez Fidler, Hannah Wang
Thank you to the many community contributors for feedback and edits to Legal and Ethical Considerations for Born-Digital Access, from which this post was derived.
DISCLAIMER: This text has been reviewed and feedback incorporated from library professionals with legal expertise, but it was not originally drafted by a lawyer and is not legal advice. Please use this as a starting point to understand the issues, but always consult your local legal counsel or other support system as you make access decisions around born-digital collections.
(1) “All deeds of gift should mention that issues of privacy are the responsibility of the donor” (Briston 2019, 111.)
(2) Available at: https://ec.europa.eu/info/sites/info/files/eag_draft_ guidelines_1_11_0.pdf