Book contents
- Frontamtter
- Contents
- List of Acronyms
- List of Figures and Tables
- List of Case Studies
- Introduction
- 1 Copyright and Related Rights
- 2 Data Protection
- 3 Freedom of Information
- 4 Governance, Audits and Risk Assessment
- 5 Policies
- 6 Procedures: Copyright and Related Rights
- 7 Procedures: Using and Negotiating Licences for Access to Information Resources
- 8 Procedures: Data Protection and Freedom of Information
- 9 Tools and Templates
- 10 Awareness and Engagement
- 11 Some Speculations About the Future
- Appendix 1 Carrying out an Information Asset Audit
- Appendix 2 Sample IP Policy
- Appendix 3 Sample Data Protection Policy
- Appendix 4 Possible Contractual Terms for Online Access to Database Service
- Appendix 5 Data Protection Privacy Notice Template
- Bibliography
- Index
8 - Procedures: Data Protection and Freedom of Information
Published online by Cambridge University Press: 29 July 2020
- Frontamtter
- Contents
- List of Acronyms
- List of Figures and Tables
- List of Case Studies
- Introduction
- 1 Copyright and Related Rights
- 2 Data Protection
- 3 Freedom of Information
- 4 Governance, Audits and Risk Assessment
- 5 Policies
- 6 Procedures: Copyright and Related Rights
- 7 Procedures: Using and Negotiating Licences for Access to Information Resources
- 8 Procedures: Data Protection and Freedom of Information
- 9 Tools and Templates
- 10 Awareness and Engagement
- 11 Some Speculations About the Future
- Appendix 1 Carrying out an Information Asset Audit
- Appendix 2 Sample IP Policy
- Appendix 3 Sample Data Protection Policy
- Appendix 4 Possible Contractual Terms for Online Access to Database Service
- Appendix 5 Data Protection Privacy Notice Template
- Bibliography
- Index
Summary
Introduction
Organisations in the UK must handle personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), which is embodied in the Data Protection Act 2018. The Act ensures that the GDPR principles will remain in force if and when the UK leaves the EU. Organisations collect and process personal data about staff and individuals who interact with the organisation in some way, including customers, users, partners, contractors and visitors. LIK services also handle personal data and therefore must comply with data protection law. LIK services will hold personnel records, user and borrowing records, catalogue records about living individuals and possibly archives containing personal data. Research data repositories may also contain personal data.
Processing of personal data must be carried out in accordance with the data protection principles. These principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality and accountability (General Data Protection Regulation, art. 5). Some of the data processed by libraries will be sensitive in nature, that is, special category data under data protection law (General Data Protection Regulation, art. 9(1)). For example, health libraries or libraries in institutions where medical research is carried out may process several types of special category data, including health; race; ethnic origin; genetics; sex life or sexual orientation. Additional conditions must be fulfilled to process this category of data to make it lawful. Children are also afforded specific attention under the GDPR (recital 38), which is relevant to school, college and public libraries in particular.
Data protection law allows archiving of personal data for certain purposes and data sharing for research purposes in certain circumstances. This is possible because of exemptions to some of the data protection principles that govern the processing of personal data. The principles that are particularly relevant to archiving personal data and making it available for research purposes are purpose limitation and storage limitation. There are circumstances where further processing for archival and research purposes is lawful, for example in the case of research data where the data subjects have consented to this storage and further processing. In other circumstances, processing must conform to the requirements of the relevant exceptions and this has implications for procedures.
- Type
- Chapter
- Information
- Information LawCompliance for Librarians, Information Professionals and Knowledge Managers, pp. 107 - 122Publisher: FacetPrint publication year: 2020