Report on the General Data Protection Regulation for the Rockefeller Archive Center

Report produced January 16, 2020

Summary

This report summarizes the main components of the General Data Protection Regulation (GDPR), specifies how it applies to archives, and recommends specific actions for the Rockefeller Archive Center to be in compliance with the Regulation and with good privacy practices in general.

The GDPR applies to the RAC in two distinct ways: 1) the management of archival data, for which the Regulation specifies exemptions to many of its requirements based on “archiving in the public interest,” and 2) the management of our users’ data. For the first, no major changes are recommended to our current practices, although we should continue to be transparent about our public mission, make sure our collection policy is available and up-to-date, and stay current on practices related to balancing privacy and access in archives. For the second, this report details several recommendations aimed at understanding what personal data we collect about users, minimizing collection of that data, and clearly informing users about our data collection practices.

Note to Readers: This report was prepared by Rockefeller Archive Center staff and is based on an extensive literature review, conversations with external GDPR experts, and internal discussions with RAC stakeholders. The findings and recommendations contained in this report reflect the RAC’s most informed determination as to how GDPR applies to the RAC’s own particular use case and mission, as of this writing. We are providing public access to this report for informational and educational purposes only. It should not be construed as legal advice or used as the sole basis for risk assessment or action by other institutions.

Regulation Overview

The General Data Protection Regulation (GDPR)1 is the European Commission’s data protection legislation that was passed by the EU in April 2016 and took effect in May 2018. It replaces, modernizes, and extends the reach of the 1995 Data Protection Directive (Directive 95/46/EC) in an effort to standardize data protection practices, and it applies to all organizations that process the personal data of people living in the EU whether or not that data is processed in the EU. The GDPR is large and complex, containing 99 Articles and 173 Recitals that articulate the responsibilities and requirements of data controllers and processors, require organizations to implement and facilitate seven data protection principles and eight privacy rights, and define the enforcement mechanism of the Regulation.

As defined in the GDPR Article 4, data processing is any operation (manual or automated) performed on personal data including collection, organization, storage, alteration, retrieval, consultation, use, dissemination, restriction, or erasure. Personal data is defined broadly to include “any information relating to an identified or identifiable natural person (‘data subject’)” including name, id number, location, online id, or “one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity.”

Data Protection Principles

The GDPR emphasizes “data protection by design and by default,” requiring that organizations implement appropriate technical and organizational measures to ensure that by default, “only personal data which are necessary for each specific purpose of the processing are processed” (Article 25). The GDPR articulates the requirements for data protection in seven key principles as described in Article 5:

  1. Lawfulness, fairness, and transparency: Use data lawfully, fairly, and with transparency.

  2. Purpose limitation: Process data only for the legitimate purposes specified to the data subject when it is collected. Exceptions include “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”

  3. Data minimization: Collect and process only the minimum data elements that are necessary for the purposes specified.

  4. Accuracy: Keep data accurate and up-to-date.

  5. Storage limitation: Store data that allows for the identification of data subjects only as long as needed for the purposes specified. Exceptions include “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”

  6. Integrity and confidentiality: Process in a way that ensures the security of the personal data. Implement appropriate technical and organizational security measures.

  7. Accountability: Be able to demonstrate documented GDPR compliance with all of the principles. This includes designating data protection responsibilities, and documenting what data is collected, where it is stored, and how it is being used. Evaluate the requirement of appointing a Data Protection Officer (DPO), and appoint one if necessary.

Data Subject Rights

The set of eight fundamental data privacy rights for data subjects and the associated responsibilities of data controllers and processors are detailed in the GDPR’s Articles 15-22. These aim to inform, protect, and empower people:

  1. Right of access
  2. Right to rectification
  3. Right to erasure (“right to be forgotten”)
  4. Right to restrict processing
  5. Right to be informed
  6. Right to data portability
  7. Right to object
  8. Rights related to automated decision-making including profiling

There are also specific provisions in the Regulation to add additional protections for children.2

Lawful Basis for Processing

In Article 6, the GDPR gives six lawful bases by which data processing can be justified. A lawful basis for processing should be determined and documented before processing.

  1. Consent is given by the data subject to collect data for specified purposes
  2. A contract
  3. Legal obligation other than a contract
  4. Vital interests to protect someone’s life
  5. A task carried out in the public interest or by official authority with a legal basis
  6. Legitimate interests, unless there is reason to protect the personal data which overrides those interests

Note: “A task carried out in the public interest” is a legitimate legal basis for processing personal data for archiving purposes in the public interest.3

The GDPR in Archives

While archives must comply with the GDPR in the processing of archives user data, the Regulation includes some exceptions and derogations for personal data present in archival collections, since the principles and rights of data minimization and permanent preservation are at odds.4 However, these exceptions are somewhat ambiguous and not clearly defined. Additionally, derogations are defined as the ability of EU Member States to further define exceptions, meaning that there can be some variation across the EU on what exceptions are in place for archives. In a 2017 white paper, archivist Isabel Taylor analyzes the archives-specific section of the GDPR and notes that “the derogations for archives, and how well they will work in practice, currently constitute one of the most uncertain areas of the new law.”5

Because of this need for interpretation, archivists active in thinking through GDPR implementation and privacy legislation in general articulate the importance of archival advocacy in these spaces; the integrity and preservation of archival records is threatened by unmitigated data privacy rights. Taylor argues that archival advocacy is “key to entrench an archives-friendly interpretation of the grey areas in the Regulation,”6 and in a report on archives legal issues in GDPR for the E-Ark Project, Anderson and Anderson state that it is “vital that archives should not simply become spectators as legislation and regulation is conceived and implemented.”7

Archives professional organizations and data privacy experts are in the early stages of building a common interpretation and approach to GDPR, with the EU leading the way. Recognizing that this legislation is still new, that archives are under the radar right now in terms of GDPR enforcement, and that litigation will influence how practices are determined, a measured approach is appropriate. While the GDPR is new and far-reaching, archivists also already work to balance principles of privacy with the provision of open and equitable access to records.8 GDPR does not require a drastic change to archival ethics and best practices.

Archival Exemptions and Derogations

The relevant GDPR exceptions provide for “archiving in the public interest” and for “historical research” which are discussed in Article 89(1) and (2), and further clarified in Recital 158.

Recital 158 explains that “archiving in the public interest” applies to organizations that “hold records of public interest” and “have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest.” Therefore, it is the mission of the institution holding the records that is important in determining if the exemption applies.9

Article 89(1) states that “processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” are still subject to “appropriate safeguards” for data subjects including that “technical and organizational measures are in place” for the principal of data minimization (principle 3, as described above). However, as the European Archives Group point out, data minimization can be at odds with archival preservation, and the data protection principles note “archiving in the public interest” exceptions as related to the purpose of the data collection and the time period that data can be stored (principles 2 and 5).10

Article 89(3) further provides that where personal data are processed for “archiving purposes in the public interest”, Member State law may provide for derogations from specific data subject rights “in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.”

In summary, there is an exemption for archives, but it is a qualified and sometimes vague exemption with a dependence on national legislation to further define and clarify implementation.

The RAC and GDPR

The Rockefeller Archive Center is subject to the GDPR because we process the personal data (both digital and on paper) of people living in the EU both as researchers and in our collections.

We are not a third-party Data Processor responsible to donor organizations for the personal data that they control. Donor organizations are responsible for GDPR compliance for the personal data that they process, and the RAC is a Data Controller responsible for the data that we process once records are accessioned and in our custody.

The proposed recommendations are based on the GDPR requirements and archives literature that have interpreted those requirements, but do not include a risk assessment in determining what actions to prioritize.

Recommendations – Archival Collections

  • Review organizational policies (including the forthcoming privacy policy) and mission to ensure that documentation and transparency are provided to support the “archiving in the public interest” exemption. The RAC falls securely in this category with the lawful basis being that processing is carried out in the public interest, and our policies should be accessible, accurate, and reflect that public mission.

  • Be aware that there are some safeguards and rights for data subjects (and children in particular) associated with archiving in the public interest. Our current operations already reflect an understanding of the balance of protecting data subjects and making records available, so no specific action is recommended at this time.

  • Continue to track relevant privacy laws and how other archives respond to GDPR, particularly in the United States where implementation is not as well documented.

Recommendations – Records Management

The GDPR requires that personal data must be processed under a lawful basis with consent for a clearly specified purpose, kept only as long as that specified purpose requires, secured, and managed such that it can be provided to the data subject and updated or deleted if they request it. Systems and processes should be developed and maintained with data protection by design and by default.

  • Do not attempt to distinguish EU users from other users. Any changes to policy and procedure should apply to all RAC users.

  • Appoint at least one staff member to lead an audit and/or data-mapping exercise to understand what personal data the RAC holds, where it is, how long it is kept, and the associated security risks (for both electronic and paper records). This may include but is not limited to data about our researchers.

Note: based on the scale and nature of the RAC’s processing activities, we are not required to appoint a formal Data Protection Officer (DPO) or conduct a Data Protection Impact Assessment (DPIA) as detailed in the Regulation.

  • Update or create new policies, procedures, and technical solutions as necessary for compliance related to obtaining and documenting informed and voluntary consent, data retention periods, security, and data sharing with third parties.

  • Minimize the collection of personal data as much as possible. Especially limit the collection of “special category data.” This includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and a person’s health, sex life, or sexual orientation (Article 9).

Note: The GDPR includes an exemption from the requirement to document data processing activities for small organizations like the RAC, but processing that involves “risk to the rights and freedoms of individuals” or is “special category data” must be documented and managed in accordance with GDPR specifications (Article 9 and Article 30).

  • Create a privacy policy that clearly states what data we collect about users and why. The policy should be in plain language and easily accessible from the RAC’s website. Include information about the purpose of each type of data processing and the lawful basis for that processing. Include a way for someone to contact the RAC with questions or requests related to their data.

  • Evaluate our use of cookies and create a cookie policy (likely part of the privacy policy).

  • Implement mechanisms of informed consent for cookies, and ensure that no tracking occurs before consent is given. This does not include the management of third-party cookies, although users should be informed of them.

  • Provide information and/or training to staff related to the privacy principles and rights of our users.

Bibliography

The European Parliament and the Council of the European Union. “General Data Protection Regulation.” April 27, 2016. https://eur-lex.europa.eu/eli/reg/2016/679/oj

Amazon Web Services. “General Data Protection Regulation (GDPR) Center”. https://aws.amazon.com/compliance/gdpr-center/

Anderson, David and Janet Anderson. “Advice to Archives arising from “E-ARK Legal Issues Report: European Cultural Preservation in a Changing Legislative Landscape”. February 9, 2018. https://zenodo.org/record/1170117

Ashley, Lori, Sarah R. Demb and Sarit Hand. “Europeans in Mind: GDPR and the Right to be Forgotten in North America.” Session presented at the Society of American Archivists Annual Meeting, August 2019.

European Archives Group. “Guidance on Data Protection for Archive Services: EAG guidelines on the implementation of the GDPR in the archive sector”. October 2018. https://ec.europa.eu/info/files/guidance-data-protection-archive-services_en

GDPR.eu. “Complete guide to GDPR compliance.” https://gdpr.eu/

Hintze, Mike. “Viewing the GDPR through a de-identification lens: a tool for compliance, clarification, and consistency.” International Data Privacy Law, Volume 8, Issue 1, February 2018, Pages 86–101, https://doi.org/10.1093/idpl/ipx020

Information Commissioner’s Office (UK). “Guide to the General Data Protection Regulation.” Last updated November 2019. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-gdpr/

The National Archives (UK). “Archives and GDPR: frequently asked questions.” https://www.nationalarchives.gov.uk/archives-sector/legislation/archives-data-protection-law-uk/gdpr-faqs/

The National Archives (UK). “Guide to archiving personal data”. August 2018. https://www.nationalarchives.gov.uk/archives-sector/legislation/archives-data-protection-law-uk/gdpr-faqs/

Society of American Archivists. Code of Ethics for Archivists. Revised January, 2012. https://www2.archivists.org/statements/saa-core-values-statement-and-code-of-ethics

Taylor, Isabel. “The General Data Protection Regulation: White Paper.” Archivar 70(2) 2017. https://interparestrust.org/assets/public/dissemination/Archivar2_2017_Taylor.pdf

Todd, Malcolm. “UK Approach to GDPR Concept ‘Archiving in the Public Interest’”. Presented at ACA@UBC 11th Annual International Seminars and Symposium, February 15, 2019. Slides accessed at http://acasymposium2019.sites.olt.ubc.ca/speakers/#Malcolm-Todd

Your Europe European Union. “Data Protection Under GDPR.” https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/indexamp_en.htm

Endnotes

  1. The European Parliament and the Council of the European Union. “General Data Protection Regulation.” April 27, 2016. 

  2. UK Information Commissioner’s Office. “Guide to the GDPR: Children and the GDPR.” Last updated November 2019. 

  3. The National Archives (UK). “Guide to archiving personal data,” 16. 

  4. European Archives Group. “Guidance on Data Protection for Archive Services: EAG guidelines on the implementation of the GDPR in the archive sector,” 5. 

  5. Taylor, Isabel. “The General Data Protection Regulation: White Paper,” 186. 

  6. Taylor, 192. 

  7. Anderson and Anderson. “Advice to Archives arising from “E-ARK Legal Issues Report: European Cultural Preservation in a Changing Legislative Landscape”, 12. 

  8. Society of American Archivists. Code of Ethics for Archivists. 

  9. European Archives Group, 10. 

  10. European Archives Group, 5.