First, the lingo…

Glossary:

GDPR – General Data Protection Regulation, legislation for how we process and store data about people

PECR – Privacy and Electronic Communications Regulations 2003, additional governance for electronic communications including emails, text and mobile phone calls

Data Subject – the person who the data is about

Data Controller – the individual or organisation that is in control of who processes data and why the data is processed (e.g. trustees, museum employees)

Data Processor – the individual or organisations tasked with processing the data on behalf of the Data Controller (this would exclude museum employees but includes volunteers)

Personal Data – defined as “Any information relating to an identified or identifiable natural person.” This means data or combinations of data from which a person (not organisation) can be identified

Sensitive Personal Data – this is personal data, which relates to an individual’s race/ethnicity, religious beliefs, political opinions, mental/physical health, sex life, criminal history and trade union membership

ICO – Information Commissioner’s Officer, the UK’s independent data protection regulator

How will it affect you?

General Data Protection Regulation (GDPR) comes into place on May 25 2018 with no transition period. This legislation protects all kinds of personal and sensitive personal data and has been adopted by the UK through the Data Protection Bill so will not be effected by Brexit.

This means that all data you hold about people will have to meet this new standard or be deleted. BUT don’t panic! With a few straightforward steps you will be able to meet this new standard.

What’s it all about?

If you hold data about a person they have the right to know what data you have, access the data, rectify incorrect data, delete all data about themselves, restrict your use of their data, obtain and reuse data and refuse consent to use their data.

The key principles are that data should be:

1. Accurate and kept up to date
2. Kept for no longer than is necessary for the purpose it was collected
3. Processed in a way that ensures appropriate security

The Data Controller (i.e. your museum) is responsible for ensuring that these requirements are met. In order to demonstrate that you are meeting the requirements of GDPR you must:

1. Implement appropriate measures to ensure you comply with legislation
2. Keep a record of how you’ve processed data
3. If appropriate, appoint a person responsible for ensuring compliance (only appropriate for larger organisation)

There are different legal conditions that allow organisations to hold and process personal data but the main two that apply to museums are consent and legitimate interest.

Consent

Consent means that the person has explicitly agreed to you holding their data and using it for specific purposes. Consent has to be used to emails, text messages, mobile phone calls, house phone calls if the person is listed on the Telephone Preference Service and for processing sensitive personal data (see glossary).

Consent must be:

1. freely given (you can’t offer incentives or force someone)
2. specific to how you plan to use their data
3. informed
4. unambiguous
5. clear, affirmative action (i.e. you can’t use ‘opt out’ options)
6. demonstrable (you must be able to prove that the person gave their consent if asked)

Consent doesn’t necessarily last for forever and should be refreshed at appropriate intervals. The GDPR doesn’t give an exact time frame, but every 24 months is recommended. Consent expires when the purpose for which you collected the data ends. For example if you hold someone’s details because they’re a volunteer, when they stop volunteering you must delete the data, unless you request permission to keep the data for another reason.

Example consent form:

(From ‘A practical guide to lawful fundraising for arts and cultural organisations’, June 2017, by BWB and ACE. Click here to access the full document.)

Data you have previously collected must meet this new standard. If it does not, you can ask for consent or you must delete this data. There is no such thing as implied consent.

Legitimate Interest

Please note that any local authority or university museums cannot use Legitimate Interest as a reason for holding personal data. This is explicitly banned in the GDPR.

Organisations that are not managed by a local authority or university can use Legitimate Interest to justify handling data without consent when the data processing is ‘necessary’ for the legitimate interest of the data controller (i.e. the museum). Your organisation has a necessary legitimate interest when using the data achieves an organisational objective (this is vague and will probably be tested in court).

Before you use Legitimate Interest you must ask yourself:

1. Why this activity is important?
2. Is processing the data is the only way of achieving your ‘necessary’ objective?
3. If processing the data isn’t the only way to achieve the objective, why do you believe that handling the data is the most appropriate approach?

Whether or not you can use Legitimate Interest depends on the ‘reasonable expectation’ of the individual when they gave you the data. You must consider:

1. What is the direct impact on the individual?
2. Are the consequences for the individual positive?
3. Is there a link between the original purpose that the data was given and how you want to use the data?
4. What kind of data is being processed?
5. Could your use of the data be considered obtrusive?

For example, if someone agreed to give you their address when they donated an object they might expect that you would contact them to ask a question about the object but they might not expect you to post them leaflets about all your museum events.

People can opt out of allowing you to use their data for legitimate interest.

You cannot use Legitimate Interest to contact people via email, text message or mobile phone call as this is governed by the PECR legislation. You can use Legitimate Interest to contact people by post or home phone call (provided their number isn’t listed on the Telephone Preference Service).

Privacy Policies

If you haven’t told someone how you’re going to use their data, you probably can’t use it. Your privacy policy sets out how you will use their data. A privacy policy should include:

1. Who you are (identity and contact details of Data Controller)
2. Why you want their data
3. The legal basis for processing the data
4. Who the data will be shared with
5. How long the data will be held
6. The person’s rights
7. The right to withdraw consent
8. The right to complain to the ICO
9. The source of the data (if it’s not being provided by the person)
10. Any automised data handling (for example wealth screening for fundraising purposes)

This is a lot of information for a person to take in! You might give this information at the point of consent being given, and it could be a link from your consent form (if you’re doing it online). This would look something like this:

(From ‘A practical guide to lawful fundraising for arts and cultural organisations’, June 2017, by BWB and ACE. Click here to access the full document.)

You can see examples of good and bad privacy policies if you click here.

What do you need to do?

1. Don’t ignore it!
2. Don’t work alone – make sure your whole team is on board
3. Do audit your use of data
4. Do write or review your privacy policy
5. Do keep a record of your decisions

Need more information?

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-in-practice/

http://www.artscouncil.org.uk/sites/default/files/download-file/A%20Practical%20Guide%20to%20Lawful%20Fundraising.pdf – practical examples of consent and privacy policies

https://2040infolawblog.com/