Museums seek clarification on new data protection laws

Issues include exceptions for research and archiving, and limiting fines for public bodies
Jonathan Knott
Museums are seeking clarification from the government about how planned changes to data protection laws will impact their work.

The Department for Digital, Culture, Media and Sport (DCMS) published a statement of intent last week committing to a new Data Protection Bill.

The bill, which will bring the EU’s general data protection regulation (GDPR) into UK law, will give people more rights over their personal data. Its measures will include imposing stricter requirements around asking for consent before processing people’s data. It will also give people the “right to be forgotten” by allowing them to ask organisations to erase data it holds on them.

Organisations that fail to comply with the law will face fines of up to £17m, or 4% of their global turnover, from the Information Commissioner’s Office (ICO). The maximum fine the ICO can currently issue is £500,000.

A number of museums and other cultural heritage institutions, including the National Portrait Gallery, the Natural History Museum (NHM) and Imperial War Museums, responded to a “call for views” on the GDPR held by DCMS in April and May.

The institutions sought clarity on a wide range of issues including whether there would be a limit on how much public institutions can be fined, and what exceptions will be made for research and archiving purposes.

Another concern was which areas of museum work will be considered to be carried out in the public interest, because this has an impact on data protection obligations.

In its submission to DCMS, the NHM suggested that “any fines levied on public authorities should be proportionately reduced or minimised”.

The museum also argued that it was essential to clarify how activities including marketing, funding and retail would be categorised.

The NHM said that unless there is clarity on this issue, the legislation will “attract numerous costly, burdensome and unnecessary legal challenges and have a significant financial impact on museums”.

Similar concerns were raised by the National Portrait Gallery, which also sought clarification on the "right to be forgotten", giving the example of when personal data has been provided in relation to gift aid.

"As a public body we have a retention schedule in place to keep financial records for 6+ years. We wouldn’t be able to remove all personal data within that period of time according to our retention schedule," said the submission.

A spokeswoman for the National Portrait Gallery said that as well as responding to the consultation, the institution had been working closely with the National Museum Directors’ Council (NDMC) to raise concerns jointly shared by a number of museums and galleries.

“NMDC are now in contact with DCMS in order to continue dialogue and seek further clarification on the bill on behalf of the sector and we will await the outcome of these discussions,” said the spokeswoman.

It is understood that the National Museum Directors’ Council will write to the minister for digital, Matt Hancock regarding the bill.

And the Cultural Heritage Institutions Privacy Alliance (CHIPA), a recently-formed informal association of privacy and data protection practitioners, advocates and advisers from UK cultural organisations, has already written to Hancock.

Its letter sets out several points it believes need to be addressed in the bill “to protect the role of cultural heritage institutions and their stakeholders and users”.

CHIPA member Ben White, who works in the library sector, told Museums Journal that the bill would have different implications for public bodies and private companies.

“Organisations need to have certain grounds for using personal information, and it will be important for publicly funded organisations to establish what their grounds are, because as the GDPR is drafted they will not be able to rely on all the grounds they used to be able to,” he said. 

He added that while DCMS appeared open to dialogue, it was not a time for cultural heritage organisations to rest on their laurels, particularly since attitudes towards data protection had changed following revelations of government surveillance programmes by Edward Snowden in 2013.

“The legal environment post-Snowden has changed and therefore it is more important than ever for cultural heritage institutions to be seen to be protecting people’s personal data while also facilitating research and access to knowledge,” he said. 

Leave a comment

You must be logged in to post a comment.