New Data Protection Acts (2018) in the UK, Republic of Ireland and some UK dependencies come into force on 25 May 2018. The Acts implement the EU-wide General Data Protection Regulation (GDPR). Although the UK will be leaving the EU and will then become a ‘third country’ under GDPR, current guidance is that it will continue to observe the fundamentals of the new Regulation. The Archives and Records Association (UK & Ireland) – the ARA or ‘the association’ – will interpret the new legislation in this way until such time as divergence in case law in the EU and/or the UK or future legislative changes require us to do otherwise.
The new Acts extend the definition of personal data into new areas that reflect the digital and other technological realities of the 21st century. As the ARA is a professional membership body, the vast majority of personal data it controls and processes will remain the minimal needed to deliver contracted services. As under previous data protection regimes, this will be limited to: members’ email and physical address details, phone numbers, dates of birth, salary information (to ensure members only pay the annual membership fee appropriate for their income level) and information such as bank and credit/debit card details if members choose to pay their membership fees in this way.
What this means for you as a member
The new legislation replaces previous data protection acts. It broadens the definition of what counts as your personal data, recognises increased data subject (your individual) rights when it comes to their personal data and places more obligations to organisations holding your personal data. One of the rights is a right to be informed, which means we have to give you even more information than we do now about the way in which we use, share and store your personal information. You also have the right to have your personal data corrected or erased and withdraw your consent for us to hold it at any time. Details on how to do this are set out below.
Where we archive any ARA information for future statistical or historical research purposes, which may include personal data, we will do so in conformity with the derogations in Article 89 of the GDPR and the provisions of the new Acts.
Legal Bases for Processing Personal Data
The ARA’s principal legal bases for processing personal data of members and ARA staff are explicit consent – through our membership application and annual renewals process – and meeting the requirements of a contract (provision of clearly-identified employer-employee and membership services). We may also rely on the legitimate interests basis for managing the personal data of the ARA’s five salaried staff.
Our membership forms make clear to prospective and renewing members what the explicit consent entails (including, for example, sharing with third parties, how long we will keep members’ data for, and the right of members to change their minds). Further details on these legal bases and what they mean can be found on the UK Information Commissioner’s website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ The ARA employee handbook is being amended to explain formally how the association will process staff personal data.
The ARA is the sole data controller and processor of ARA members’ and ARA staff personal data. Where we work and provide services in partnership with external organisations – eg, suppliers, partners and clients - we will ensure that their privacy statements and policies match our own (see details in our privacy notice here).