This blog is part two of a series comprising a set of primers that address ten complex legal and ethical issues encountered when providing access to born-digital archival records. The guidance is grounded in two foundational beliefs: 1. There is a potential to harm individuals, communities, and institutions if access is not thoughtfully and strategically viewed through an ethical and legal lens; and 2. It is not ethical to restrict access unnecessarily. For more information see: https://osf.io/ketr7/.
Each section in the DLF Born-Digital Access Working Group’s Legal and Ethical Considerations for Born-Digital Access resource includes action-oriented recommendations for institutions and individual archivists, as well as recommendations for technical infrastructure to build, with the goal of facilitating fair and ethical access to born-digital library collections.
But not every action needs to be bespoke, customized to address a specific category of access restrictions. The following are actions and infrastructure recommendations that practitioners should explore when balancing the legal and ethical considerations of providing access to born-digital collections at a broader level. Implementing these recommendations helps facilitate all of the downstream work on specific access considerations that we will share in future blog posts. Note that public policies should be created with the aid of legal counsel whenever possible.
Actions for the institution to take
- Provide a communication mechanism for the public to report metadata errors, provide additional information on, or request the removal of digital materials made accessible by the institution. Inviting discussion demonstrates the institution’s “good intentions” (Hirtle 2009, 207) and supports a responsible access program(1). Additionally, institutions should develop an internally documented workflow on responding to such communications and in what circumstances they will result in removal(2).
- Develop and publish an indemnification statement. This can be included in an access or use policy that advises patrons on their responsibilities should they encounter personally identifiable information (PII) or data subject to General Data Protection Regulation (GDPR)(3). An indemnification statement can protect the institution from malicious use of privacy protected information.
- Develop a policy on retention or non-retention of original physical source media, as well as deleted, hidden, or otherwise unintentionally acquired files recovered via disk imaging. This can be included in a collection development policy, and can protect and guide the institution in responding to the types of challenges noted above.
Actions for the archivists to take
- When applicable, encourage donors to review files prior to transfer, and remove any files subject to attorney-client privilege, Family Educational Rights and Privacy Act (FERPA), Health Information Portability and Accountability Act (HIPAA), or GDPR, as well as files that contain PII or otherwise private information.
- Commit to undertaking some level of pre-acquisition appraisal to separate identifiable PII and GDPR-related data. This may take the form of browsing a creator’s files on their computer, or physically sorting removable media and appraising based on written labels. For organizational records, this can be accomplished by connecting to their server to review files.
- Whenever possible, identify and document potential problem areas in the accessioning stage (i.e. what parts of the collection to watch out for and why). The next archivist stewarding this collection will thank you.
- If the collection will not be processed immediately but is going to be made accessible, include language in a public-facing record explaining that materials require review prior to access. New information found in the review can be added to the description(4).
- Develop a documented restriction period tracking method. This can take the form of a spreadsheet or database ideally in a shared storage space. ArchivesSpace users can set restriction periods and an alert based on these restriction periods. The record is then automatically opened on the determined date.
- Maintain consistent processing documentation, and make it accessible to the relevant people in your institution. This could take the form of processing or project plans, fair use assessments, meeting minutes, access and use policies, and processing notes in the finding aid.
Secure storage is necessary through all phases of digital collections including:
- A protected server or hard drive to which limited authorized staff have access before materials have been appraised.
- Intermediate storage for embargoed materials.
- Long term preservation storage.
Very few institutions have the digital preservation infrastructure and long-term management plans required to ensure the longevity of the majority of their digital materials. If you don’t know where to store sensitive data, you are not alone. Getting a storage solution in place requires extensive collaboration and communication, whether with a vendor or cross-departmentally. Research is emerging for smaller scale processes and collaborative infrastructures that allow average and under-resourced institutions to steward sensitive archival data (Mumma 2019).
- Secure, non-networked workspace to view and process born-digital materials.
- Processing tools such as ePADD, FTK, BitCurator, Bulk Extractor and Bulk Reviewer that can identify, restrict, redact, and delete personally identifiable or otherwise sensitive information. (See the PII and Privacy sections of Legal and Ethical Considerations for Born-Digital Access for more information.) Organizational IT departments may also be able to provide enterprise tools for identifying sensitive information.
- For open online access: clearly articulated access, use, and takedown policies.
- For mediated online access: capacity to limit access to authenticated users in a virtual reading room.
- For mediated on-demand access: capacity to make accessible via email or cloud sharing upon request.
- For in-person access: a computer with the necessary viewing software and security settings in place. Alternatively, an external hard drive that can be loaded with the relevant collection files and loaned to researchers who may view the files via their personal laptop onsite.
- For online or in-person access to unprocessed digital records: mediation through user authentication and/or a user agreement.
An aggregated list of actions is available online and viewable at: https://docs.google.com/spreadsheets/d/1DFHFdTHbvb2kdcTeBfcbyhNXEtXlBt60HRaVMxRQ6Ag/edit?usp=sharing
Stay tuned for future posts that will dig into specific types of legal and ethical conundrums archivists and librarians encounter when providing access to born-digital collections.
(1) See “Our commitment to providing responsible access to digital primary sources–and how you can help!” in “About the Collections in Calisphere” for an example. Available at https://calisphere.org/overview/
(2) See UC Berkeley Libraries “Responsible Access Workflows” for an example set of workflows for both deciding whether to publish and when to remove digitized materials. Available at https://news.lib.berkeley.edu/responsible-access
(3) For an example indemnification statement, see University of California Santa Cruz Special Collections & Archives “Privacy and Personally Identifiable Information” in their Access Policy. Available at https://guides.library.ucsc.edu/speccoll/policies
(4) For guidance on providing access to unprocessed collections, see “2.B. Suggested Access Policies and Procedures” in Guidelines for Efficient Archival Processing in the University of California Libraries. Version 4. University of California Libraries, 2020. Available at https://escholarship.org/uc/item/4b81g01z
DISCLAIMER: This text has been reviewed and feedback incorporated from practicing lawyers, but it was not originally drafted by a lawyer and is not legal advice. Please use this as a starting point to understand the issues, but always consult your local legal counsel or other support system as you make access decisions around born-digital collections.
Hirtle, Peter B., Emily Hudson, and Andrew T. Kenyon. Copyright and Cultural Institutions: Guidelines for Digitization for U.S. Libraries, Archives, and Museums. Ithaca, NY: Cornell University Library, 2009.
Mumma, Courtney C. “Preserving Sensitive Data in Distributed Digital Storage Networks – IMLS LG-34-19-0055-19.” Texas Digital Library, last updated September 27, 2019. Available at https://texasdigitallibrary.atlassian.net/wiki/spaces/DPS/pages/967409735/Preserving+Sensitive+Data+in+Distributed+Digital+Storage+Networks+-+IMLS+LG-34-19-0055-19
Primary Author of this section: Christina Velazquez Fidler, Digital Archivist, The Bancroft Library, University of California, Berkeley
Co-Authors: Hannah Wang, Jessika Drmacich, Jess Farrell, Camille Tyndall Watson, Kate Dundon
Thank you to the many community contributors for feedback and edits to Legal and Ethical Considerations for Born-Digital Access, from which this post was derived.