This blog is part of a series comprising a set of primers that address ten complex legal and ethical issues encountered when providing access to born-digital archival records. The guidance is grounded in two foundational beliefs: 1. There is a potential to harm individuals, communities, and institutions if access is not thoughtfully and strategically viewed through an ethical and legal lens; and 2. It is not ethical to restrict access unnecessarily. For more information see: https://osf.io/ketr7/.
Overview
The General Data Protection Regulation (GDPR) is a European Union (EU) law governing personal data and digital privacy related to persons living in the EU and European Economic Area (EEA). The regulation was created in 2016 in order to give individuals control over their personal data and governs data collection, use, sharing, and retention. It was implemented in 2018, and applies to all businesses operating within the EU, or doing business there (including non-European organizations holding this personal data outside Europe). GDPR places the responsibility for data collection and retention with organizations, and makes those organizations culpable in the event of a data breach.
This includes data collected by applications such as website cookies, as well as personally identifiable information (PII) including names, addresses, and photos. Because GDPR concerns the data of any EU resident (citizen or not), and is applicable to companies or organizations doing business in the EU if they are storing patron information, US-based archives must be mindful of how they are maintaining information and providing access to data. Additionally, some U.S. states are considering implementing laws similar to GDPR. GDPR also presents challenges to academic libraries in the US, particularly if they collect digital materials that include individuals living in the EU or if their online systems use software such as cookies to collect user data.
Most likely to come up in
Collections or datasets that may hold data about EU residents, including:
- Private collections
- Email archives
- Web and social media archives
- Business data in customer relations management (CRM) systems (mailing lists, non-credit course or event attendee information, etc.)
- Enterprise Content Management systems (ECM)
- Student records and associated management systems
- Enterprise content management systems
- Library databases and portals
- Management systems for higher education athletics
Actions for the institution to take
Communicate with the donor or individual transferring material regarding third party data in the collection.
Seek releases where possible from third parties whose data may be in the collection.
Develop a release form/deed of gift/purchase agreement that articulates that identifying data subject to GDPR is the donor’s responsibility. (1)
Consider conducting a Data Protection Impact Assessment per the European Commission Guidelines. (2)
Create a workflow for removal or removal policy that provides guidelines to address potential third party data.
Actions for the archivist to take
Maintain consistent project documentation including destructions that occur due to third party requests.
Technical infrastructure
- Workflow and documentation for seeking releases from individuals found in collections
- Workflow/process for digital destruction of archival materials and records.
- Workflow/process for documenting records without release
- Privacy clauses for front-facing websites
- Workflow/process for take-downs and removal
Legal considerations
Legal considerations for archives operating outside of the EU: For many government archives, public records are defined as anything, regardless of format, sent or received in the conducting of public business. However, several tools used by non-EU governments and archives to do business within the EU are subject to GDPR. For example, many government agencies use Twitter to communicate with constituents, including being tagged in tweets by citizens. These tweets are considered public record. However, when GDPR was implemented, Twitter made the decision to update their privacy policy to remove tweets that have been deleted or that were sent by an individual who deleted their account. This policy change then affected the retention policies of Archive Social, a social media archiving tool used by many government archives; Archive Social also made the decision to remove these deleted tweets from their archives periodically. For many government archives, this amounts to the destruction of public records, which is one thing if the deleted tweet is about the governor’s cute dog, but another entirely if the deleted tweet contained something like a threat or other substantive communication. Government archives have had to find different workarounds for how to account for this deletion of public records.
Within the EU, archives must be in compliance with GDPR. If an organization is doing business with EU residents or citizens, the laws also apply to organizations outside of the EU if customer/researcher/patron data is being stored.
If third party storage is being used, we recommend working with the digital security office or IT, to make certain the storage space meets institutional and digital preservation security protocol. Records may be transferred outside of the EU, but only to entities using approved storage methods with mandatory disclosures to people whose data may be released.
Ethical considerations
“Data” is a very broad term under GDPR, pertaining to data about or belonging to individuals, making identifying data subject to the law difficult to identify and deal with. This can bring up several ethical considerations for institutions dealing with collections in which GDPR might apply:
- Must an archive return any data that does not belong to the Donor?
- Can it ethically provide access?
- GDPR specifically addresses the right to be forgotten; should an individual be notified if there is data about them in an archival collection? The current guidance, in the UK at least, is to restrict access to data belonging to individuals that have not given their consent; however, this was being ruled on by Parliament at the time of this summary.
Works cited
Briston, Heather. “Contracts, Intellectual Property, and Privacy.” In The Digital Archives Handbook, edited by Aaron D. Purcell. Lanham: Rowman & Littlefield, 2019.
Additional resources
Community Archives and Heritage Group. “Community archives and GDPR.” April 18, 2018. Available at: https://www.communityarchives.org.uk/content/resource/community-archives-gdpr
European Union General Data Protection Regulation (GDPR). Available at: https://gdpr.eu/tag/gdpr/
GDPR Associates. “How does GDPR affect email retention and archiving?” August 14, 2018. Available at: https://www.gdpr.associates/gdpr-affect-email-retention-archiving/
State of California Department of Justice. California Consumer Privacy Act (CCPA). Available at: https://oag.ca.gov/privacy/ccpa
The United Kingdom National Archives. “Archives and GDPR: frequently asked questions.” Available at: https://www.nationalarchives.gov.uk/archives-sector/legislation/archives-data-protection-law-uk/gdpr-faqs/
Contributors
Primary Author of this section: Camille Tyndall Watson
Co-Authors: Jessika Drmacich, Kate Dundon, Jess Farrell, Christina Velazquez Fidler, Hannah Wang
Thank you to the many community contributors for feedback and edits to Legal and Ethical Considerations for Born-Digital Access, from which this post was derived.
DISCLAIMER: This text has been reviewed and feedback incorporated from library professionals with legal expertise, but it was not originally drafted by a lawyer and is not legal advice. Please use this as a starting point to understand the issues, but always consult your local legal counsel or other support system as you make access decisions around born-digital collections.
___
(1) “All deeds of gift should mention that issues of privacy are the responsibility of the donor” (Briston 2019, 111.)
(2) Available at: https://ec.europa.eu/info/sites/info/files/eag_draft_ guidelines_1_11_0.pdf