[Revised September 2020, original 29th May 2018 (revision post-introduction of GDPR)]
Section 1: GPI’s Commitment to Data Protection and Privacy
Section 2: Breakdown of Personal Data Collected, Processed, Stored and Shared by GPI and Procedures in Place
Section 3 Access, Security and Individual Rights
Appendix:
The following Policy explains what personal data the George Padmore Institute (GPI) collects about individual persons the GPI interacts with, GPI’s motives for collecting such data and on what Legal Basis. Following from this, the Policy explains why and how GPI may use, store, process and share that personal data. The Policy also explains the rights individuals have in relation to that personal data. GPI is committed to complying fully with our obligations under applicable data protection laws governing why and how personal data is collected, used, processed, stored and shared.
Until Brexit (2020), this has meant complying with the EU General Data Protection Regulation (GDPR), and the corresponding UK law, the Data Protection Act (2018). As Brexit develops in the months and years ahead, we will review our policy to ensure continued compliance with relevant UK legislation, and in accordance with the latest guidance from the Information Commissioner’s Office.
Another uncertainty is the impact which the COVID-19 pandemic has on compliance with GDPR. The pandemic began in 2020, and it remains uncertain how long the impact will last.
Given the uncertainties of the COVID-19 pandemic, this aspect is dealt with in an appendix, rather than in the main body of the Policy.
The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018. It sits alongside the GDPR, and tailors how the GDPR applies in the UK - for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers. The GDPR is the General Data Protection Regulation (EU) 2016/679. It sets out the key principles, rights and obligations for most processing of personal data – but it does not apply to processing for law enforcement purposes, or to areas outside EU law such as national security or defence. The GDPR came into effect on 25 May 2018. As a European Regulation, it has direct effect in UK law and automatically applies in the UK.
The GDPR legislation refers to ‘Special Category Personal Data.’ This singles out some types of personal data as likely to be more sensitive, and gives them extra protection:
The majority of the special categories are not defined and are fairly self-explanatory.
Why is this data special? It’s not just that this type of information might be seen as more sensitive or ‘private’, but that these types of personal data merit specific protection. This is because use of this data could create significant risks to the individual’s fundamental rights and freedoms. For example, the various categories are closely linked with:
The presumption is that this type of data needs to be treated with greater care because collecting and using it is more likely to interfere with these fundamental rights or open someone up to discrimination. This is part of the risk-based approach of the GDPR.
Whilst other data may also be sensitive, such as an individual’s financial data, this does not raise the same fundamental issues and so does not constitute special category data for the purposes of the GDPR.
An organisation is only permitted to collect, process, store or share personal data in pursuance of its own lawful activities essential for carrying out its mandate.
GPI’s legitimate interest is for “archiving in the public interest.” There are certain exemptions under GDPR for “archiving in the public interest”. According to The National Archives:
“Archiving in the public interest is processing to secure the permanent availability of recorded memory, in other words, evidence and information, for a wide range of current and potential future purposes, including:
- enabling research and investigation of all kinds, including academic, historical or genealogical research
- enabling long-term accountability, such as public inquiries and other official investigations like cold case murder investigations
- enabling the discovery and availability of personal, community and corporate identity, memory and history
- enabling the establishment and maintenance of rights and obligations and of precedent decisions
- enabling educational use
- enabling commercial and non-commercial re-use.
The phrase ‘enduring value’ is not included in the index of defined expressions within the Data Protection Act 2018. The phrase is however used in the new legislation in the context of the new purpose – ‘archiving in the public interest’. This purpose can only be applied to records which have been identified as having ‘enduring value’. Records which have been subject to an appraisal process and deemed to be worthy of permanent preservation, have been accessioned by an archive service or which have been identified as such by the record creator are likely to considered as of ‘enduring value’.”
However, the exemptions do not apply if it would risk causing “substantial damage or substantial distress to an individual”.
We may need to request, process, store and share selected personal data in order to operate. The personal data we request or receive from you when dealing with the GPI breaks down into the following broad areas.
Relating to individuals who interact with GPI:
Relating to GPI’s archival collections:
Relating to the contents of GPI’s communication platforms/tools
Each of these areas are discussed in greater detail in Section 2 below.
Reader Registration Forms
We require all readers/researchers to complete registration forms when visiting the archive. Data requested includes your name, contact details, organisation or place of study (if applicable), research topic and signature. You will also be asked if you wish to join our mailing list. All personal data requested is for internal use only, to ensure the efficient management of our collections, increase security and aid the preservation of our archives. Registration forms are stored securely (see Section 3, Part 2) and subsequently destroyed in accordance with set retention periods to ensure that personal data is not kept for longer than necessary. (see Section 3, Part 3).
Visitors’ Book:
All visitors are asked to write their name in a visitors’ book when they are visiting the building. The personal data requested is for internal use only to increase security. Books are stored securely (see Section 3, Part 2) and subsequently destroyed in accordance with set retention periods to ensure that personal data is not kept for longer than necessary. (see Section 3, Part 3).
File Transfer Slips
We need to record the physical movement of archives ordered by researchers. File transfer slips create a records’ tracking system which alerts us if a file is misplaced or has gone missing. Each slip will record the reference number, the name of the person who has requested it, the date of ordering and the current location of the item. These slips are for internal use only. We also produce statistics from the slips to monitor which records are being consulted the most (and may therefore require repair due to frequent handling) and are popular areas of study. These statistics are anonymous. File transfer slips are stored securely (see Section 3, Part 2) and subsequently destroyed in accordance with set retention periods to ensure that personal data is not kept for longer than necessary. (see Section 3, Part 3).
Archive Reprographic Services - Copyright Declaration Forms
In order to comply with the Copyright and Related Rights Regulations 2003, the GPI cannot photocopy or scan material for researchers unless you complete and sign a Copyright Declaration Form. We will ask for your name and contact details. These forms are for internal use only and are stored securely (see Section 3, Part 2) and subsequently destroyed in accordance with set retention periods to ensure that personal data is not kept for longer than necessary. (see Section 3, Part 3).
Booking Research Appointments
Research appointments are recorded in a calendar. There are no appointment lists containing personal data on display or held in a public place, such as our search room. Appointment bookings will record your name only. Such calendars are for internal use only and are stored securely (see Section 3, Part 2) and subsequently destroyed in accordance with set retention periods to ensure that personal data is not kept for longer than necessary. (see Section 3, Part 3).
Transfer Agreement
If you donate material to the GPI archive collections, you will be required to complete a Transfer Agreement Form. This will either record transfer of ownership of records to the GPI or the loaning of records to the GPI. We will require name and full contact details, signature and any information relating to intellectual property rights (eg: copyright you hold in the material). The Transfer Agreement is for internal use and will be kept permanently as a record of the material you have either gifted to or deposited in the GPI Archive. A copy of the completed Transfer Agreement Form will be held by you. Should the GPI cease to exist and the archive material is passed to another archive, the transfer agreement will accompany the material and pass into the ownership of the new organisation, and will then become subject to their GDPR/privacy policies. The transfer agreements are held securely, as described in Section 3, Part 2.
GPI EMPLOYEES
Employees
All personal data that we request from you relating to recruitment, contracts of employment, and all aspects of your work as an employee of the GPI is for internal use only. This includes collecting the following information: name; contact details; cv/employment history; financial data (for payment of salary/pension/reimbursement). GPI do not ask for date of birth, but some applicants may provide it in their CV. No special category data is asked for, but some applicants may provide it in their CV or application letter. We need to pass certain information to third parties for processing payroll and also to contact external pension providers. Although not a standard GPI practice, there may be instances when an external interviewer is involved in selecting a candidate, in which case a CV and application letter would be shared as appropriate. The information GPI collects are not shared for other purposes or with other third parties. Employee records are stored securely (see Section 3, Part 2) and subsequently destroyed in accordance with set retention periods to ensure that personal data is not kept for longer than necessary (see Section 3, Part 3).
VOLUNTEERS AND NON-CONTRACTUAL STAFF
Volunteer Agreements
In order to volunteer at the GPI, you will be asked to provide an application with a CV, and successful applicants will be asked to complete and sign a non-contractual Volunteer Agreement. The CV includes name and contact details, and any personal data which the applicant chooses to include in their CV. The Volunteer Agreement includes a Volunteer’s name and signature. A copy of the completed Volunteer Agreement will be held by you. These agreements are for internal use only and are stored securely (see Section 3, Part 2 and subsequently destroyed in accordance with set retention periods to ensure that personal data is not kept for longer than necessary (see Section 3, Part 3).
Log of Volunteer Hours
We monitor the number of hours that volunteers spend working in the GPI. If we are in receipt of a heritage funding grant, the total number of volunteer hours can count as work ‘in kind’ and can increase the size of the grant. We use initials, rather than your full name, the date and number of hours spent in the GPI, and brief details of the work you carried out (by category – cataloguing; boxing; cleaning, etc). The total number of hours is also beneficial to individual volunteers for quoting on CVs etc. The information is recorded by staff supervising the volunteer and not by the volunteer themselves. The information is for internal use only and is logged in a book. The books will be retained by the GPI as a permanent record of work achieved and will pass into the GPI’s own archive in due course. At this point they will be subject to the GDPR policy governing personal data held in GPI’s archive, as described in Section 2, Part 2.
SUPPORTERS AND FRIENDS
GPI has a wide network of supporters and friends, who either receive information from GPI in print or digital format, who attend GPI’s events or who donate money. The personal data that may be collected on them could be: name, physical address, telephone number, email address, and other electronic communication addresses, such as Skype, WhatsApp or other social media as appropriate. All information is provided voluntarily for the specific purpose of sharing information about GPI activities, or GPI appeals for support and donations. The information is kept securely, as described in Section 3, Part 2, and is only kept for as long as necessary, as described in Section 3, Part 3
Website and Social Media
You can choose to view and/or comment on GPI’s website and social media accounts– Facebook, Twitter and Instagram. However, to enable these services, your personal data will be stored on third party sites. You should refer to the privacy policies of those sites before giving out personal data. The GPI undertakes to operate within the guidelines of these sites and will not collect your personal data.
Google Analytics
We use Google Analytics to help collect information on how you use our website. This helps us to improve the website and provides statistics on the number of people visiting and which pages they have viewed.
Mailing lists
We use MailChimp to keep in touch with our supporters. If you have agreed to be contacted by us, your name and email address will be used to create mailing lists in MailChimp. You can unsubscribe from MailChimp using the link at the bottom of any email received. Only contents relating to GPI’s purpose and activities will be sent to this list.
Surveys, Feedback and Monitoring Forms
Any surveys and feedback forms produced and issued by the GPI will be anonymous and will not request any personally identifiable data. Such forms will be kept securely (see Section 3, Part 2) destroyed in accordance with set retention periods (see Section 3, Part 3) to ensure that data is not kept for longer than necessary.
PayPal
You can choose to use the PayPal link on our website in order to give donations to the George Padmore Institute. However, to enable this service, your personal and financial information will be stored on and processed by the third-party PayPal site. You should refer to the privacy policy of this site. The data we see on the PayPal site and on any emails sent out to GPI from PayPal consists of name, date, email, profile ID [coded]; profile status [active/inactive]; GPI does access personal data, but the profile data is coded and we can’t see bank account details or any financial data other than the amount of money given.
If you send us an enquiry by email, phone call or letter, we will answer that enquiry using the contact details you have provided. We will not ask you for additional personal data unless we feel this is necessary in order to answer your enquiry. We will not forward your enquiry or pass your personal data to anyone outside of the GPI without your consent unless required to by law.
GDPR only applies to electronically held records, so does not actually apply to GPI’s paper-records. At the time when this policy is being written (2020) paper records constitute the bulk of GPI’s record holdings.
However, despite GDPR not applying to these records, there are still measures in place to protect individuals’ privacy. Certain archival records containing personal data may be closed to public access for the lifetime of the individual, or for a duration specified by the depositor of the records. This decision is based on a combination of ethics, the terms of the deposit between the donor of the archives and GPI, and also the discretion of the archivist cataloguing the record as to whether a record should be closed or not. In some instances, we may provide access to records containing the personal data of living individuals where donors they not requested the records to be closed, or where it will be of archival value to make the data available in the public domain.
This is the most important area in which GDPR protects the personal data contained in GPI’s archives. It applies to GPI’s records which were ‘born analogue’ (such as paper, or magnetic tape audio or audio-visual records) but have subsequently been digitised and made accessible digitally, or those records which were born digital. This is currently only a very small proportion of GPI’s records, but this will steadily increase in the coming years, in accordance with GPI’s Digital Policy and Strategy documents.
Our approach is governed by GPI’s legal basis to archive in the public interest. However, we close access to any records containing Special Category Personal data for a living person, if opening these records would risk causing ‘substantial damage or substantial distress” to an individual as described in Section 1, Part 2. In such instances, GPI will not open the records until the individual had died, or 100 years after the date of their birth. In some cases, GPI may redact only parts of the record that need to be closed, while making the remainder of the record open. As an archival institution, it is important that GPI preserves these records and the information contained in them, even if they are not immediately open to public access. Having preserved them, it is possible to put them in the public domain at a later date.
Our decisions with regard to this are based on assessment of the different risks concerned, and our decisions are fully documented. Our digital platforms contain a “take down policy/disclaimer”, which allows individuals concerned about an inappropriate level of openness for a given record to appeal. In such instances we will consider whether it is appropriate to remove the material or not, assessing both the possible “harm” or “distress” involved against the need to archive in the public interest. While GPI commits to considering all such appeals, it reserves the right to make a decision contrary to the appeal.
As the catalogue is available online, the GDPR protects personal data held in it. This area is governed similarly to the digital records in GPI’s collection, as described above.
Certain images of people may also contain Special Category Personal data. As such, the contents of GPI’s online communications and publications tools and fora are also covered by GDPR.
Access to personal data is restricted to those GPI staff who need to access it in order to fulfil their job responsibilities. These individuals have received basic GDPR training.
In particular circumstances, it may be necessary to share personal data with the following people.
In such instances, data will only be shared for the purposes of carry out these tasks and nothing else.
All internal records containing personal data which GPI keeps for its day-to-day functioning, as described in Section 2, are kept securely. This includes both paper records and electronic records. These measures are designed to prevent accidental loss or deliberate theft of information, as well as inappropriate internal access and use of the information.
Paper records, such as Reader Registration Forms, Visitor Books, File Transfer Slips, Copyright Declaration Forms, Appointment Calendars, Transfer Agreements, Volunteer Agreements, and records relating to employees and unsuccessful job applicants, are kept in a physically secure area, with the key only held by GPI employees who need access to this data.
Electronic records are held in secure pass-word protected areas of GPI’s computers, with access restricted to those GPI employees who need access to this data.
GPI only holds personal data for as long as is required, either by law, or in order to serve the purpose for which it was collected. After this period, the data is safely destroyed, in accordance with a retention schedule, which specifies the length of time a particular set of records must be kept and the basis (either legal or internal) for this duration. Some categories of records are not destroyed, but are retained as part of GPI’s own internal archive. At this point, they become subject to the procedures described in Section 2, Part 2.
Under GDPR, individuals have certain rights with regard to personal data held about them.
You have a right to know what personal data GPI holds on you, and to access it. If you ask us, we will confirm whether we hold and/or are processing your personal data. If you request it, we can provide you with a copy of your personal data. If information about you is held in a record within GPI’s archive, and this record is closed due to containing special category personal data about a third person, a photocopy or transcription will be provided by staff, with redactions as necessary.
You are entitled to ask us to restrict or stop processing your personal data if you contest the accuracy of that data or object to us processing it. We are obliged to do so, unless we can demonstrate legal grounds for the processing of it or if such processing is necessary for the performance of a task carried out in the public interest (such as archiving).
You have the right to ask us to correct your personal data if you think it is inaccurate or incomplete, and also to bring it up-to-date.
You also have the right to have personal data erased (removed) from our records but this only applies in certain circumstances. See the following guidelines https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ Please note that the right to erasure is not absolute and may not apply to all personal information held in our archive collections, in accordance with the exemptions to GDPR for archiving in the public interest, as described in Section 1, Part 3.
All requests must be made in writing. A written request for information under GDPR is known as a “Subject Access Request”. GPI is obliged to answer you within one month. If you have made multiple requests or your request is particularly complex, GPI is obliged to reply within two months, but must let you know within one month that this is the case, and to inform you why this decision has been made.
For further information on how we use your personal information, keep your personal information secure and your rights to access the personal information we hold on you, please contact Sarah Garrod, Archivist, info@georgepadmoreinstitute.org. Tel: 0202 7272 8915 (10.00-4.00pm) or write to us at 76 Stroud Green Road, Finsbury Park, London N4 3EN.
Further information about the General Data Protection Regulation (GDPR) can be found here: https://gdpr-info.eu/
Further information about the application of GDPR to archival institutions can be found here: https://www.nationalarchives.gov.uk/archives-sector/legislation/archives-data-protection-law-uk/gdpr-faqs/#general
Section 2, Part 1 describes many uses of physical records relating to users of GPI’s archives, such as visitor book, or slips. As GPI’s COVID response evolves, this practice may be halted and replaced with digital records. This will then have implications for storage, and will be stored in accordance with electronic records.
It will also mean collecting more personal data than usual, and potentially sharing it more widely, in accordance with government track and trace and other related schemes (which themselves are continually evolving from one-day-to-the-next). GPI will follow any advice issued by the government, the National Archives or the Information Commissioner’s Office in this regard in order to follow recommended practices for the sector.