Gwenan Hine's, Head of Compliance, Bangor University. CILIP Ireland Open Day 2017

1. Data Protection and GDPR

2. Starting point …
• How does data protection impact on your work?
• What do you think are the current data protection related challenges
within your library service?
• Do you know where to go within your organisation for more
information on data protection legislation?

3. Reminder: Data Protection Act 1998
The Data Protection Act 1998 is a law which protects personal information
(personal data) about individuals*, and sets out how such information can be
legally collected, used and stored by organisations.
*Depending on the organisation individuals can be members of the public,
members of staff, students, patients, alumni, research subjects etc.
Balance: Data v Privacy

4. General Data Protection Regulation (GDPR)
At the end of 2015, the European Parliament and Council agreed a final draft of a new General Data
Protection Regulation (GDPR) which will apply in the UK and EU member states from 25 May 2018.
The main aims of the GDPR involve improving consumer protection and general levels of privacy for
individuals, along with mandatory reporting of data protection breaches and an increased emphasis on
gaining explicit consent to process information.
Both the UK and the Republic of Ireland will replace their current Data Protection Acts in the next few
months, and the drafts are currently going through relevant parliamentary processes.
Organisations should start to look at their data protection compliance activities to ensure they will be
compliant with the GDPR when it’s provisions are transferred into new data protection acts by May 2018.

5. Scope of current legislation
• Paper : information held in manual form or printed out from an electronic format
• Electronic : e mails, databases, spreadsheets and reports
• Photographs: Marketing photographs, ID Cards and Passes;
• CCTV images (both central CCTV system and any localised systems / webcams)
• Publications: Marketing / information brochures with photographs
• Web pages
GDPR: all of the above plus information which may be associated with online identifiers provided by
devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or
other identifiers. This may leave traces which, in particular when combined with other identifiers
and information received by the servers, may be used to create profiles of the individuals and
identify them.

6. Personal Data
Personal data (personal information) is any data which relates to a living individual (a “data
subject”), who can be identified
- From the data
- From the data and other information which is in the possession of, or likely to come into the
possession of an organisation
This data would include any expression of opinion about the individual and any intentions
which the organisation (or another person) has in respect of this individual
GDPR this definition is simplified and will be
- Any information relating to an identified, or identifiable natural person (the data subject).

7. Grounds for Processing Personal Data
Consent
This will be broadly the same as the requirement under current legislation. However GDPR has a
narrower view of what constitutes consent. Consent must be a freely given, specified, informed and
unambiguous indication of an individual’s wishes.
There must be some form of clear affirmative action – a “positive opt in”, consent cannot be inferred
from silence, pre-ticked boxes or inactivity
Necessary for the performance of a contract with the data subject or to take steps to prepare for a
contract
Necessary for compliance with a legal obligation

8. Grounds for Processing Personal Data
Necessary to protect the vital interests of a data subject or another person where the data subject
is incapable of giving consent
This condition is very tightly drafted, and can only be relied upon when there is no other available
grounds for processing the data, e.g. for medical emergencies.
Necessary for the performance of a task carried out in the public interest or as a consequence of an
official authority vested in the institution
Necessary for the purposes of legitimate interests
This condition is in the current legislation, but will not be available for public authorities post May
2018.

9. Special categories of data
Under current legislation special categories of data (known currently as “sensitive personal data”) are:
• the racial or ethnic origin of the data subject;
• political opinions;
• religious beliefs or other beliefs of a similar nature;
• whether they are a member of a trade union;
• physical or mental health or condition;
• sexual life;
• the commission or alleged commission of any offence; or
• any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or
the sentence of any court in such proceedings.
GDPR: Special Categories of Data
the definition will include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union
membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual
orientation.
There will also be separate but more stringent controls over criminal convictions data

10. Grounds for Processing Special Categories of Data
Explicit consent -The same stringent consent threshold is required - freely given, specified, informed and unambiguous
indication of an individual’s wishes. How can you ensure the individual is informed?
Necessary for obligations under employment, social security or social protection law, or a collective agreement - This is
a wider definition than within current legislation
Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving
consent - This condition is very tightly drafted, and can only be relied upon when there is no other available grounds for
processing the data, e.g. for medical emergencies
Data made public by the data subject
Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity -
This is a wider definition than within current legislation

11. Grounds for Processing Special Categories of Data
Necessary for reasons of substantial public interest
Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the
employee, medical diagnosis, the provision of health or social care or treatment or management of health or
social care
Necessary for reasons of public interest in the area of public health
Necessary for archiving purposes in the public interest, or scientific and historical research purposes or
statistical purposes - This is a new condition under the GDPR and provides that sensitive data can be processed
for the purposes of archiving, research and statistics.

12. Data Protection Principles
In the GDPR, and therefore in the new data protection legislation there will be 6 principles (as opposed to the current 8)
Data processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and transparency')
Currently organisations are required to process the data fairly and lawfully. The inclusion of the principle of transparency is a new provision.
Data obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Current legislation places similar restrictions on processing of data, the GDPR provisions include processing for public interest and/or scientific purposes, widening the
scope for further processing.
Data processed is adequate, relevant and limited to what is necessary
Current legislation uses the term excessive, the GDPR requirements take the opposite view and only permits processing of data that is necessary.
Data is accurate and, where necessary, kept up to date
No change
Data should not to be kept longer than is necessary for the purpose
Currently organisations can keep information “as long as is necessary”, with exceptions for statistical or historical purposes where the data can be kept indefinitely.
GDPR expands the list of exceptions permitting the storage of data for longer periods where the data is being processed for archiving purposes in the public interest
and/or scientific purposes, in addition to the statistical or historical purposes.
Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction
No change
Principles 6 and 8 in current legislation (data subject access rights and international transfers) are dealt with elsewhere in the new legislation

13. Data processed lawfully, fairly and in a transparent manner
“Lawfully”
Consider what are your grounds for processing both personal data and the special categories of data. There is no
grounds for “it may be useful”.
“Fair”
Remember that if you are relying on consent it must be a freely given, specified, informed and unambiguous
indication of an individual’s wishes.
Ensure there is a form of clear affirmative action – a “positive opt in”. Consent cannot be inferred from silence, pre-
ticked boxes or inactivity
“Transparent”
Look at your privacy notices, are they comprehensive and clear?
Where is the information located? Can the individual reasonably be expected to locate the privacy notice, and to
make an informed decision to grant consent (where necessary)? Are you informing the individual why you are
collecting the data, and what grounds you are relying on? (i.e. if you are not relying on consent what are you relying
on, make this clear)

14. Data obtained for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes
Decide what is your basis for collecting the personal information and make this known to the
individuals concerned e.g. in any T&Cs, on your website, in any literature.
Make sure you have a clear privacy notice in place and that the web site privacy statement is explicit
with regard to use of the data. This is essential in order to ensure specified, informed and
unambiguous consent
Remember you cannot use information collected for one purpose for a different purpose without
gaining further consent

15. Data processed is adequate, relevant and limited to what is necessary
Only collect and use what you need and importantly, only what is compatible with the reasons and
purposes which the individuals were informed of, or the purposes for which you are legally entitled
to hold the information.*
*Always refer back to your privacy notice
Importantly don’t collect (or hold) any data “in case it might come in handy”

16. Data is accurate and, where necessary, kept up to date
Organisations have a responsibility to make sure that any personal data, or special categories data
collected is recorded accurately.
The individual then needs to notify organisations of any change in their data.
However, best practice suggests organisations should check periodically to make sure the data held
is still up to date
If notified of any changes every reasonable step must be taken to ensure that this is erased or
rectified without delay, and in any event within a month of receiving the request

17. Data should not to be kept longer than is necessary for the purpose
Organisations only have the right to hold data as long as it’s needed for the purpose notified to the
individual (this could also mean holding it in the archive as set out in the any retention schedule)
Once the purpose is no longer valid or the retention date has passed then the organisation should
not continue to hold the information
Organisations have a legal responsibility to make sure that the information is held securely, and that
it is securely disposed of at the end of the retention period

18. Appropriate technical and organisational measures against unauthorised or unlawful
processing, loss, damage or destruction
Personal and special categories data must be kept secure. The information must only be available to
those with a right to see it.
Matters to consider:-
• Transferring information from one section / function / department to another, or transferring externally – it’s
sometimes essential to do this. But consider what information actually needs to be transferred, to whom and how
is it possible to ensure the confidentiality and the security of the information
• Information is disclosed to members of staff in order for them to carry out their specific roles. This information
should not under any circumstances be disclosed or handed over to anyone other than those with a need to see it
• Staff must be careful with memory sticks, laptops and other portable media – use encryption / passwords etc.
Consult your Information Security Policy.

19. Principles of Information Security
Paper records
Appropriate storage for paper / manual records would include:
• Locked metal cabinets with keys limited to authorised staff only;
• Locked drawer in a desk (or other storage area) with keys limited to authorised staff only;
• Locked room accessed by key or coded lock where access to the key/code is limited to authorised staff only;
Appropriate disposal for paper / manual records would either be:
• Secure disposal via an accredited confidential waste disposal company
Or
• Shredding (best practice would suggest use of a cross-cut shredder)

20. Principles of Information Security
Electronic records and Database Systems
• Never disclose your password
• Ensure your password is robust – change it regularly
• Always log off, or lock a workstation before leaving it
• When working on confidential work and / or work involving personal data make sure no one else can read your
screen
• Protect equipment from physical theft (especially laptops and memory sticks)
• Store all records on the appropriate organisational network so that it is backed up regularly
• Remember to back up and secure work mobile devices (laptop / phone) as well
• When sending emails internally or externally it is essential to check that the appropriate recipient has been
selected, before sending the message
• Particular care is required when forwarding emails, in particular ones with attachments so that information is
only sent to people with a real ‘need to know’. Before forwarding attachments at all you should check that the
information is not available to them by other secure means.
Remember the same retention guidelines apply to records held electronically and in paper / manual format

21. GDPR: Individual Rights
• The right to be informed (privacy notice)
• The right of access (subject access request)
• The right to rectification (if data is inaccurate or incomplete)
• Organisation must respond to this request within a month, if rectification isn’t possible the individual must receive an
explanation as to why that is
• The right to erasure (the right to be forgotten)
• This does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to
prevent processing in specific circumstances:
• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed, when the individual withdraws
consent, or objects to the processing and there is no overriding legitimate interest for continuing the processing.
• The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR), or it has to be erased in order to comply with a legal obligation.
• The right to restrict processing
• Where an individual contests the accuracy of the personal data, where an individual has objected to the processing and the
organisation is considering their legal reason for processing, where processing is unlawful and the individual opposes erasure
and requests restriction instead, where the organisation no longer need the personal data but the individual requires the data
to establish, exercise or defend a legal claim.
• The right to data portability
• Organisation must respond within a month. Allows individuals to move, copy or transfer personal data in order to obtain and
reuse for their own purposes across different services.
• The right to object (e.g. to direct marketing)
• Rights in relation to automated decision making and profiling
• Establishes safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
Organisations should identify whether any processing operations constitute automated decision making and consider whether
appropriate procedures are needed to deal with the requirements of the GDPR.

22. The right to be informed
The GDPR requires organisations to be transparent and to provide accessible information to individuals
about how their information will be used. The usual way in which to provide this information is through
the use of a “privacy notice”. The term “privacy notice” is used to describe all the different ways in which
an organisation can provide privacy information to individuals – on the web, in any literature etc.
The starting point of a privacy notice should be:
• who are the organisation;
• what is the organisation going to do with the individual’s information;
and
• who will it be shared with
Also consider why you need to collect the information (are there any consequences if the information is
not given?), how long will the information be kept for (retention), what are the procedures for individuals
who wish to withdraw consent (where consent is being relied upon), what are the procedures for
requesting a copy of their data etc.

23. The right of access
Individuals have the right to find out what information is held about them within organisations
In order to make a request to see / obtain a copy of the information an individual should make a
request in writing
There is no charge for making the request, and the request must be dealt without delay, and at the
latest within one month of receipt of the request*.
*Under current legislation organisations can charge a £10 fee, and the legal compliance date is 40 calendar days

24. Children’s Personal Data
The GDPR contains new provisions intended to enhance the protection of children’s personal data.
Privacy notices for children
Where services are offered directly to a child, organisations must ensure that the relevant privacy
notice is written in a clear, plain way that a child will understand.
Online services offered to children
Proposals in relation to online services would mean children aged 13 years old or above would be
able to consent to their data being processed. For children under 13 years old their parents or
guardians would need to consent. Withdrawing consent will also be simplified for children.

25. Transfer of data outside the European Union
Organisations can transfer data outside the European Union where the receiving organisation has provided adequate safeguards.
Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
Examples of adequate safeguards would be:
• a legally binding agreement between public authorities or bodies;
• binding corporate rules (agreements governing transfers made between organisations within in a corporate group);
• standard data protection clauses in the form of template transfer clauses adopted by the Commission;
• standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the
Commission;
• compliance with an approved code of conduct approved by a supervisory authority;
• certification under an approved certification mechanism as provided for in the GDPR;
• contractual clauses agreed authorised by the competent supervisory authority; or
• provisions inserted in to administrative arrangements between public authorities or bodies authorised by the competent
supervisory authority.
Any current data protection clauses which are put into contracts will need to be updated to ensure they remain compliant with the
GDPR requirements and new data protection legislation.

26. Personal or Special Categories Data Breach
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant
supervisory authority, and in some cases to the individuals affected.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data / special categories data.
Organisations will have to notify where the breach is likely to result in a risk to the rights and freedoms of
individuals, and must do so within 72 hours.
Failing to notify a breach when required to do so can result in a fine, as well as a significant fine for the breach
itself … up to 10 million Euros or 2 per cent of an organisation’s global turnover, and for very significant
breaches up to 20 million Euros / 4% of global turnover.
(Under current legislative provision the maximum fine is £500,000, and mandatory reporting is only required in
certain sectors.)

27. When should you notify?
Organisations should notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of
individuals. The individuals themselves will also need to be notified in certain cases.
Whether to notify or not has to be assessed by the organisation on a case by case basis, although it is expected that organisations will issue
staff with an internal breach reporting procedure.
Issues to consider – would the breach have a significant detrimental effect on the individuals affected – e.g. result in discrimination, damage to
reputation, financial loss, loss of confidentiality, identify theft or any other significant disadvantage.
The UK Information Commissioner’s Office guidance states that when reporting a breach to them they would expect the following information
to be shared:
• The nature of the personal data breach including, where possible the categories and approximate number of individuals concerned;
and
• the categories and approximate number of personal data records concerned;
• The name and contact details of the data protection officer or other contact point where more information can be obtained;
• A description of the likely consequences of the personal data breach; and
• A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the
measures taken to mitigate any possible adverse effects.

28. Staff Responsibilities
Staff (including e.g. volunteers, external members of committees and contractors) have a
responsibility to ensure that personal data:
• is kept on a need to know basis, treated sensitively and disposed of securely;
• is not disclosed, orally or in writing, intentionally, or accidentally, to any unauthorised member of staff or external
third party
If you need to share personal data with another member of staff, or with an external third party,
make sure that you have satisfied yourself that they have the right to know the information, and if
they have that you have made them aware of the need for confidentiality.
Compliance with data protection legislation is both a personal and an organisational responsibility

29. Case Studies

30. Case Study 1
You’re asked to organise an event in your library, involving members of staff
from your organisation, and also members of the public. The local press
might also send a photographer
• Attendance at the event will be via registration from an online website
• You are asked to keep an attendance list on the day, indicating who has / hasn’t
attended
• You’re asked to set up a database of those who’ve attended, but also those who
haven’t, and make them aware of follow up events occurring in the next few months
What are the data protection challenges you face?
Are there any additional GDPR challenges?

31. Case Study 2
Your library service is moving to a new building, the library desk is located in a large
open plan area where library users are also encouraged to make use of the flexible
learning space.
Desk services staff place reserved items on trolley located nearby, each book
having the reservation slip (which contains the name of the patron, their email /
telephone number) placed into the book with the details visible.
A library user, who has reserved a book, complains that their personal data is
available so publically
How will you respond to the library user?
Are there any additional GDPR challenges?

32. Case Study 3
Your library service has agreed with the local high school that pupils revising
for their GCSE and A level examinations can use the library after school to
access online resources, to borrow books and to revise
The agreement is well used by pupils from the school, who appreciate having
access to the resources and having the ability to borrow books
A parent approaches the library desk requesting a print out of all the books
their child has taken out of the library, and also all the resources they have
accessed on line. They maintain they have a right to this information as their
child is under 18
What are the data protection challenges you face?
Are there any additional GDPR challenges?

33. Case Study 4
A user comes to the library desk and reports that two other library users are involved in a heated argument in a
corridor outside one of the reading rooms. You make your way to the location and on arrival realise the
argument has now turned into a scuffle. In the meantime another user has called the Police and they are soon
on site, taking both individuals out of the library for a discussion.
A few minutes later a police officer comes back into the library and requests information, explaining that both
involved are accusing the other of starting the argument, the root of which is unexplained.
The police request that you give them:
• Name, address and contact details of both individuals
• Frequency of their visits to the library
• Internet history for both
• Name, address and contact details of all witnesses
• CCTV images showing the argument, and anything leading up to this point
What are the data protection challenges you face? What “evidence” do you have, and would you share it?
Who would you report this incident to?
Are there any additional GDPR challenges?

34. Case Study 5
Your library has bought an integrated library management system which works seamlessly with all
other databases held by your organisation. This means you have a large amount of data on your
library users, fed through from other systems, but also historical data (borrowing record etc.)
transferred from your old system.
• What are the data protection challenges with this?
• How can you ensure your data is kept up to date?
• How long should you keep the data?
A user comes to the library desk one day and exercises their right to erasure (to be forgotten), they
want everything about them deleted
• What are the challenges in complying with this request?
• Can you comply in full or are the legitimate reasons why you need to keep some information?*
• * Remember that Article 21 of the GDPR states that the onus is on the controller to show "compelling legitimate grounds" as to
why the processing should continue

35. Final thoughts ….. Things to do now
1. Raise awareness of the changes amongst your staff
2. Consider what information you hold, and identify your lawful basis for processing the
information
3. Look at your Privacy Notices, and include updated information
4. Are you able to deal with the changes in individuals’ rights?
5. Do you handle your own subject access requests, if not find out who does
6. Do you rely on consent to process information, and if so how will you ensure you comply with
the more stringent requirements? Think about what needs doing both for current information
and in the future
7. Do children use your services? Consider what information needs to be provided to them
8. Are you familiar with your organisation’s data breach procedure
9. Data Protection by Design – build this into your processes especially with new technology
projects
10. Who is your Data Protection Officer? It will be mandatory to have a DPO after May 2018