Advice and guidance – archiving personal data

UPDATE APRIL 2019:

In October 2018, a working group chaired by Giulia Barrera under the auspices of the European Archives Group (EAG) published Guidelines for the implementation of the General Data Protection Regulation (GDPR) by archive services, which are currently a work in progress. The EAG welcomes comments which can be sent to the following e-mail address: SG-EAG-GUIDELINES@ec.europa.eu

Data protection law in the European Union changed significantly in May 2018 with the General Data Protection Regulation (GDPR). This applies directly in EU Member States, but permits those countries to make a limited number of derogations (relaxations) for various issues, including archives. These are benign modifications to how some of the data protection provisions and principles work to make them hospitable to archives continuing with their mission with safeguards to ensure the rights of data subjects are not adversely affected.

GDPR differs from the previous Directive 1995/46/EC in providing for a new purpose, Archiving in the public interest. The key functions of archives were previously handled under research and historical purposes. A new UK Data Protection Act 2018 provides for the archiving derogations as well as many other issues, including settling the GDPR into UK law as the UK leaves the European Union (EU).

Working with the UK archives sector and national record offices, also the National Archives of Ireland, The National Archives UK has published a Guide to archiving personal data, on how archiving in the public interest works; and how archives services can continue to acquire, preserve, and give access to archives while complying with the new legal framework. It has been endorsed by the UK Information Commissioner, Elizabeth Denham, herself a former archivist.

Some aspects are specific to the UK and Ireland, others may have wider application in the EU and beyond.

The new guidance does not provide a comprehensive manual for complying with data protection law (for example: it does not cover the handling of service users’ or employees’ data) and is / will be complementary to guidance provided by the Information Commissioner’s Office, the Archives and Records Association, EURBICA, and possibly others.