With GDPR now in force, here’s a brief guide on what your library needs to know and what questions you should be asking within your local authority.
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU law that will come into force on the 25th of May 2018, replacing the Data Protection Act of 1998. The regulation aims to give citizens greater control over how organisations use our personal data, as well making sure that the organisations themselves are storing the data securely and using it appropriately.
Why is it necessary?
Since 1998, the growth of the internet has meant that information in our hyper-connected world is now exchanged at an exorbitant rate; and not just between people or organisations but also by the devices in our pockets and our homes.
This information builds a startlingly personal portrait of our preferences, our behaviour and our circumstances. GDPR recognises that this makes us quite vulnerable and aims to give us back the power over how our data is used.
What personal data does my library process?
Think about the information you need to register a new borrower; their name, address, email. All information that can be used to identify them personally. See definition of ‘personal data’
How about their borrowing history; what can this tell you about a person? Say they borrowed a book on tackling mental health issues… Could this information lead to your borrower facing prejudice? See definition of ‘sensitive data’
One regulation that goes back to the Data Protection Act but is far too often forgetten is that personal information should be stored for ‘no longer than is absolutely necessary’. When was the last time you cleared inactive borrowers from your database?
Does my library have a legal basis for processing this data?
Your library may process personal data if…
- You have the consent of the user (data subject)
- You have a contractual obligation with your users
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- It is in the public interest
- By order from the controller – this applies more to us as a processor
Please note, there are separate bases for sensitive data which you can find here.
Do you know what consent you have obtained from your users?
Do you have consent to send them emails promoting events coming up in the library? And, if necessary, could you prove you have consent?
A signed contract/user agreement or record of online opt-ins would provide proof of consent. Contracts can also be amended with the user’s permission. For example, amended to include use of data for marketing purposes, if this consent was not obtained in the original agreement.
During the Axiell Gangs, a customer spoke of how their mailing list had been requested for use by another department within the council. Do you think the data subject had given consent to be contacted in this way?
Is this my responsibility?
GDPR places much more responsibility than before on data processors so of course we will be making sure we are well prepared (see below for further details), but the ultimate responsibility towards the individual always rests on you, the library service, as the controller.
Here’s a scenario: A library user approaches the enquiry desks and asks you to delete all the data you hold on them – what do you do? They have the right to erasure, so you should be able to take some simple steps to remove all the personal data the library holds on the individual.
Another: A member of the public comes into the library and asks to see all the information that the library holds about them. What do you do?
What else should I know?
The major update with GDPR and the topic that has had most people talking and some (probably unnecessarily) shaking in their boots, is the sanctions. With fraud now the most common criminal offence in the UK, the need for greater penalties against organisations leaving personal data vulnerable is obvious. And the sanctions are severe, with the highest fine being up to 4% of global annual turnover or €20 million, whichever is greatest.
Something else to know is that, as a public organisation, you should have an assigned Data Protection Officer. Do you know who they are?
How about volunteers…
As contracted members of the team they are as bound to follow the regulations as you are. It may be expected that trained information professionals are aware of much of what we have talked about but what about volunteers? Do they know not to leave user records out on display to the public?
Should I panic?
No. Most of GDPR’s scope is covered by the existing Data Protection Act, so you should already have most processes in place to handle your users’ data in an appropriate way. However, it is definitely advisable to check that your procedures are up to date with the new legislation.
What about Brexit?
Hard Brexit, Soft Brexit or Super-Stretchy Elasticated Underpants Brexit; whatever the outcome, GDPR is on the horizon. Not only will GDPR be implemented into law before the UK exits the European Union, but the Government has already confirmed that the data ruling will form part of any new UK legislation. So, in the words of Liam Gallagher, as you were.
What is Axiell doing?
As mentioned above, a lot of responsibility is placed on the shoulders of data Processors, so we have been hard at work making sure all of our processes are aligned with the updated requirements.
We have also been working to ensure our systems have the functionality to able to help libraries fulfil their responsibilities in regards to personal data. This includes making it easier for users to delete and access their data where requested.
You will see some changes in upcoming releases to help with your processing of GDPR. Further information on these updates will be available in the not too distant future.
Scroll down for a handy guide to the key definitions
Data that can directly or indirectly identify a living person. For example; name, address, photograph, location data or online identifiers, such as social media accounts. Although seemingly anonymised, library card numbers may be classed as an indirect identifier because they can be linked back to individual library users.
This refers to data, such as health information, sexuality, religion and political opinions, which may lead to potential discrimination over the data subject.
“A controller determines the purposes and means of processing personal data.” This is you.
“A processor is responsible for processing personal data on behalf of a controller.” This is us.
The law is built around protecting the rights of individuals, so this is the central persona. Individuals, or ‘data subjects’ have the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure.
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision making and profiling