Archives and Data Protection
Archives and Data Protection
Data protection law applies to the personal information of living individuals contained in records held in an archive. The law applies to digital information and to information held in some manual filing systems.
The General Data Protection Regulation (GDPR) recognises that there is a public interest in permitting the permanent preservation of personal data for the long-term benefit of society where relevant, and the GDPR and Data Protection Act 2018 provide an exemption for processing for ‘archiving purposes in the public interest’. Safeguards which minimise any adverse impact on living individuals must be met in order to use this exemption.
Public access to personal data held in an archive, particularly if the information has any sensitivity, will generally only be possible once the people concerned are dead, but earlier access may be possible if the use is fair to the individuals in the records.
Guide to archiving personal data
The National Archives, in conjunction with government archiving policy leads, including National Records of Scotland, and the Archives and Records Association, has prepared a guide to assist those working with the provision and exemptions for archiving found in the new data protection law.
The guide has now been published in its final version following a period of public comment.
The National Archives has published further guidance, including frequently asked questions, about data protection law in the UK and how it affects archives.
The European Archive Group (EAG) has also published guidance on data protection which is intended to help archives services in Europe apply the GDPR.
NRS archival collections
NRS processes records involving personal data for archiving purposes in the public interest. The Keeper of the Records of Scotland is the data controller of personal data in record collections which have been purchased by or gifted to NRS. More commonly, record collections are not owned by NRS, but have instead been placed on indefinite deposit in the national archives. The Keeper acts as data processor for personal data in these record collections, while the depositor remains data controller. Additionally, where a body that deposited records is now defunct and a successor body cannot be identified the Keeper will take on the role of data controller. Our online public catalogue will usually indicate whether a collection has been purchased, gifted or is held on deposit. If you would like more information about who is the data controller of a specific record then you are welcome to contact our Data Protection Officer.
We ensure that when personal data is processed for archiving purposes the appropriate safeguards under Article 89(1) of the GDPR and Section 19 of the Data Protection Act 2018 are met.
Records involving special categories of personal data are closed for the lifetime of individuals which is assumed to be 100 years. Records containing other types of personal data may be closed for shorter periods.
We respect the principle of data minimisation and restrict entries containing personal information from our public access catalogues and finding aids.
Access to personal data in archival records
Our fact sheet on Research use of personal data in archival records provides guidance on the terms of access and the responsibilities of researchers. Researchers are required to sign an undertaking that they will comply with their obligations under data protection laws.
If you have any concerns that access to a record containing personal data is unlawful then you can make a request that the record be withdrawn from public access. Our Records Reclosure and Takedown Policy explains how you can submit a request and how a decision on reclosure, extended closure and/or takedown from our public websites is reached.
Freedom of Information and Data Protection
The Freedom of Information (Scotland) Act 2002 (FOISA) provides a general right to information from Scottish public authorities, including information in archival records transferred to NRS. Section 38 of FOISA regulates the relationship between FOISA and data protection law and provides for exemptions from disclosure. Section 38(1)(a) exempts the personal data of the person requesting the information from disclosure because they have a right of access instead under Article 15 of the GDPR. Section 38(1)(b) exempts the personal data of a third party in order to protect the individual’s privacy. These exemptions have been applied to many of our archival records.
Further guidance about how data protection law applies to the wider functions NRS carries out can be found on our main data protection page.
NRS Data Protection Officer
HM General Register House
2 Princes Street
Tel: 0131 535 1314