GDPR (data protection) guidelines

What is GDPR?

It’s the the EU General Data Protection Regulation which came into force on 25th May 2018. Any organisation which collects personal data has to abide by the data protection principles. Personal data is any information relating to a living person which could reveal their identity and lead to them being contacted, such as their name, address, phone number, email address etc. The GDPR applies to information stored both electronically and manually where personal data is accessible according to specific criteria.

‘Data Protection Principles Article 5’ of the GDPR sets out the main responsibilities for organisations as follows:

Personal data shall be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and kept up to date, if not erased or rectified straight away
  • Not kept for any longer than is necessary
  • Processed in a way that is secure, protected against unauthorised access and accidental loss

There is a further requirement that organisations shall be responsible for and able to demonstrate compliance with the principles and must report breaches to the ICO (the Information Commissioners Office)

Individuals’ Rights

The GDPR includes the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling

What do library community groups need to do?

Community groups are likely to hold personal data. For example, they may have a mailing list that they circulate information to or they may run a 100 club. It’s therefore important that the trustees of community groups – and in particular, those who hold and use personal data for the group – are fully aware of the rules and ensure they are GDPR compliant.

In summary, the important principles for groups to follow are:

  • the group collecting the data should make it clear when collecting it what it will be used for and must not use it for any other purpose
  • the personal data should only be collected where the subject of that data consents to it being collected
  • the group collecting the data should only collect the data they need
  • the data should be stored safely and only be accessed by those who need access to it
  • it should not be shared with any other party
  • the data should be deleted / destroyed when no longer needed or when the subject of the data asks for it to be deleted
  • trustees should be mindful when sending any communication not to inadvertently share the personal details of anyone else without their content. A common example of this is when a group email is sent but the BCC (blind copy) option is not used, which results in all the recipients being able to see the email addresses of everyone else who’s received the email.

Two specific tasks that groups must do in their management of data are:

  • Adopt a data protection policy and ensure that all trustees are familiar with it. A template policy can be found here.
  • Include a privacy notice on any forms where people are providing their personal details to the group – for example, where people are signing up as members of the group. A suggested wording for this is as follows:

“The personal information you provide on this form will only be used to [add what you’ll use the information for]. It will not be used for any other purpose or shared with any third party. You can request for your personal data to be removed from our records at any time and it will be deleted / destroyed. Your data will not be kept for any longer than is needed.”

The above is a summary the key GDPR points that community groups should be aware of. It is recommended that you visit the ICO website for more guidance on the topic of GDPR