Data protection policy statement
1.The scope of this policy statement
This policy statement sets out how Hall Of Fame Collection Archives implements the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), together referred to as the Data Protection Legislation, which came into force in May 2018. The National Archives collects and uses information about the people with whom it has dealings. Hall Of Fame Collection Archives also acquires information about others in the course of those dealings. These people – collectively called ‘data subjects’ - include its own staff, researchers and other users of its services, government departments and in a wide range of organisations and institutions, as well as contractors and suppliers of various kinds. The information can be factual information, such as name and address, or expressions of opinion about or intentions towards individuals. It can occur in any form or format: WORD documents; IT systems of various kinds – including websites, emails, index cards; paper files. Hall Of Fame Collection Archives also acquires responsibility for personal information in its archival holdings which, in some circumstances, are subject to parts of the Data Protection Legislation (see section 4).
This policy statement applies to all personal data acquired, held and used by all constituent parts of Hall Of Fame Collection Archives, Note that this includes personal data and personal data managed by third parties/contractors on behalf of Hall Of Fame Collection Archives.
2.Hall Of Fame Collection Archives’ commitment to data protection
Hall Of Fame Collection Archives is committed to whole-hearted compliance with the Data Protection Legislation. Hall Of Fame Collection Archives regards responsible handling of personal information as a fundamental obligation and one that is in keeping with its role as a leader in the information, records and archives community. To this end it endorses and adheres to the Data Protection Principles set out below.
Staff of Hall Of Fame Collection Archives are expected to do whatever is necessary to ensure compliance with the Data Protection Legislation, and in particular to follow our Data Protection Procedures.
3.The Data Protection Legislation
The 2018 Data Protection Act came into force on 23 May 2018. It superseded and extended the provisions of the Data Protection Act 1984 and the Data Protection Act 1998. The 2018 Act also supplements the General Data Protection Regulations of 2016 and has two aims:
to protect individuals’ fundamental rights and freedoms, in an increasingly data driven world, in respect of personal data processing.
to enable organisations to process personal information, with due regard for the rights and freedoms of individuals, in the course of their legitimate business
The Act and Regulations apply to any processing of personal information that could identify living individuals. Processing is the term used for virtually anything that can be done with or to recorded information, including acquisition, storage and destruction as well as active use. Hall Of Fame Collection Archives must have a legal basis for any processing of personal data that it undertakes.
Hall Of Fame Collection Archives will provide privacy information in the form of a Privacy Notice to individuals at the time we collect their personal data from them.
Individuals have the following rights:
The right, upon request and with proof of identity:
- to be informed whether information about them is being processed;
- to be given a description of the information the legal basis for and the purpose of our processing;
- to whom it may be disclosed;
- how long it will be kept for
- and to be provided with the information electronically in intelligible form free of charge.
The requested information will be provided at the latest within one month of receipt of proof of identity and any necessary clarifications as to the information required.
The right to request have inaccurate personal data rectified, or completed if it is incomplete.
The right to have their personal data erased in certain circumstances.
The right to request the restriction or suppression of their personal data in certain circumstances.
The right, based on the individual’s particular situation, to object to certain kinds of processing.
Hall Of Fame Collection Archives will consider requests to have personal data erased, or to restrict or suppress personal data in accordance with its Takedown and Reclosure Policy *ADD OUR LINK
Hall Of Fame Collection Archives processes personal data in accordance with the Data Protection principles, similar to those of the of the 1998 Act, unless the personal data is exempt. These Principles (which are set out in Article 5 of the GDPR) require that personal information is handled as follows:
(1) Personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to the
data subject (‘lawfulness, fairness and transparency’);
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Article 5 also requires that the controller [Hall Of Fame Collection Archives] shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
As can be seen, these principles apply only in part to the archival holdings but for all other personal information, they must be adhered to.
There are sanctions to ensure compliance: has powers to enter premises where an offence under the Act is suspected of having been committed and to inspect or seize material. The right to prosecute offenders, including any third party processors of personal data, and compensation or fines may be payable. All breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data that present a likely risk to people’s rights and freedoms will be reported within 72 hours of discovery.
4.Data protection and the archival holdings
The Data Protection Legislation permits the processing personal data for permanent preservation (including the special categories of personal data) without consent, where necessary for “archiving purposes in the public interest” subject to appropriate safeguards for the rights and freedoms of data subjects.
However, it applies only in part to personal information in records that are not sufficiently structured for specific information about specific individuals to be readily accessible.
Where personal information in archives is being processed solely for the purposes of archival preservation, and is not accessible to the public, Hall Of Fame Collection Archives can claim exemption, in accordance with Part 2 sections 19 and 25, and Schedule 2 Part 6 paragraph 28 of the Data Protection Act 2018 from most of the Data Protection Principles, and to some extent from the rights of individuals including the obligation to respond to access requests from data subjects. However, as a matter of policy, we will respond to access requests when an individual’s rights or entitlements seem to be at stake, in recognition of Hall Of Fame Archives’ role.
Hall Of Fame Collection Archives will consider requests to restrict or suppress personal data, that is in the archive, in accordance with its Takedown and Reclosure Policy.*Add our link
5.Data Protection Officer
Hall Of Fame Collection Archives has a Data Protection Officer, whose duty it is under the GDPR to assist Hall Of Fame Collection Archives to monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects. The Data Protection Officer must be consulted at all stages of processing personal data.: for general data protection and information management matters; and for data security matters.