5 Top Data Protection Tips for Archivists

Written By Deborah Mason

A guest blog by Naomi Korn Associates

It has been over five years since the General Data Protection Regulation was introduced by the EU and later adopted by the UK as the UK General Data Protection Regulation (UK GDPR). It is important to note that one of the few areas that get special attention in this legislation is archiving. There are exemptions which include further processing (compatible), which means you can use data (in an archive) beyond the purpose for which the data was originally collected, an exemption from the storage limitation principle (so you can keep data indefinitely), and an exemption some of the data subject rights such as the right of erasure (the so-called ‘Right to be Forgotten’).

Here are five essential tips to help archivists protect data effectively:

1. Take a Risk-Based Approach

The UK GDPR’s prioritises data protection measures based on the level of risk associated with specific data processing activities. This approach involves assessing the potential risks to the rights and freedoms of individuals and balancing these against an organisation’s goals. The GDPR supports the safeguarding of personal data worthy of permanent preservation and does not prevent the use of materials containing personal data.

This approach also applies to management of data breaches, although breaches can be required to be reported to the data subject and the ICO in these cases the focus is on instances where the breach could lead to significant harm, such as discrimination, identity theft, financial loss, or damage to reputation.[1]

Sometimes when assessing a larger collection, it will not be clear what materials contain personal data, our recommendation is to focus GDPR compliance on the collection items most likely to contain high risk data.

2. Understand Types of Data

Not all data is created equal and different types of data require different levels of protection.  The GDPR clearly defines special category data as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and data concerning a person’s sex life or sexual orientation. This type of data can still be processed (including without consent);[2] but the controls you apply to it should be tailored based on the data’s sensitivity. These controls may include implementing stricter access restrictions or not publishing items that may include special category data in online inventories.

3. Understand Compatible Processing

One of the fundamental principles of the GDPR is known as the Purpose Limitation Principle which states that data should be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”[3] this may lead people to believe that data held by an organisation cannot be added to organisations archive collection. However, this Principle goes on to say that “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall…not be considered to be incompatible”; which means that you may be able to further re-use personal information for archiving purposes (subject to meeting certain safeguards) This compatible processing does not apply when data was collected based on consent, but there are many other legal bases for initially collecting data.

4. Understand the Exemptions

Data protection law has some exemptions that specifically apply to data held in archives. One key example is the right to erasure. The GDPR states that “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay”[4]; however, “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes i…[if] is likely to render impossible or seriously impair the achievement of [the archives activities]”.[5] These exemptions apply to other data rights, so its important to consider how you may handles any such requests and how these can be balanced against the objectives of the archive.

5. Consider Retention

Another common misconception in data protection law is that all data must have a retention date, but this is not the case. Firstly, the GDPR only applies to identifiable data. If you can anonymise information, you can retain it indefinitely. Secondly, as with the above, there are exemptions that apply specifically to archiving. The GDPR states that data subjects have the right to erasure of personal data without undue delay; however, this right does not apply if erasure would likely render impossible or seriously impair archiving purposes in the public interest, scientific or historical research, or statistical purposes.[6] It is therefore important to establish clear retention policies for the data you archive and consider what data might be kept indefinitely.

Conclusion

By following these tips, archivists can enhance their data protection practices, ensuring that personal data is handled responsibly and securely.

Learn to identify and classify personal data in your archival records. Book your place on our What is Personal Data? Webinar in partnership with Naomi Korn Associates on Monday 13th January 2025 - 12.00pm to 13.00pm

Naomi Korn Associates also offer a “Data Protection Law for Archives, Museums and Library Collections” course running on both 11 March 2025 and 16 July 2025, which covers these topics in more detail.

 [1] Personal data breaches | ICO

[2] Consent is just one of a number of legal basis to process data

[3] UK General Data Protection Regulation, Art. 5 GDPR (b)

[4] UK General Data Protection Regulation, Art. 17

[5] UK General Data Protection Regulation, Art. 17, 2(d)

[6] UK General Data Protection Regulation, Art. 5

Deborah Mason
Previous

Disability History Month: Accessibility and Archives
Next

Invitation for proposals to deliver training in negotiation and persuasion