The National Archives’ adherence to the General Data Protection Regulations (GDPR)

FOI request reference: F0061542
Publication date: April 2020

Outcome
Successful

 

Request & response
What procedures and monitoring checks does TNA undertake to manage how it (as a Data Controller) adheres to the following GDPR principles in relation to its own physical and digital corporate records (not deposited archival records) that contain personal data:

– Accuracy
– Data Minimisation
– Storage Limitation

For the purposes of this FOIA request the interest is in the steps taken to implement (and ongoing) monitoring actions undertaken by TNA to ensure its own compliance with the aforementioned GDPR principles rather than just reference to its own governance documents (e.g. policies, retention schedule) that might make provision for adherence to these principles

Data Minimisation.
Please see the Circumstances under which we might process your information in the Legal Basis section of our privacy policy. (https://www.nationalarchives.gov.uk/legal/privacy-policy/#legalbasis)

This sets out the items of personal data that it is necessary for us to process. Our Data Protection Officer has agreed that the minimum amount of data necessary is being used.

Accuracy
Again looking at our privacy policy, you will see that some personal data we collect is subject to an identity check carried out by us, for example registration for a reader’s ticket. Some personal data is accurate by virtue of having been captured by CCTV or visuals taken at events, although these images may not necessarily identify a particular person. Some personal data is provided to us by the data subject, for example booking for an event, where it is in the subject’s own interest to supply accurate information.

In all cases the data subject has the right to query and correct their personal data as set out in the ‘Your rights over your personal information’ section of our privacy policy. (https://www.nationalarchives.gov.uk/legal/privacy-policy/#yourrights)

The fulfilment of these requests may in some cases be subject to exemptions under Data Protection Legislation, and are dealt with by The National Archives staff on a case by case basis in consultation with our Data Protection Officer.

Storage Limitation
Personal data is only kept for as long as we have a business need for it. This is managed by applying our retention schedules. Data subjects also have the right to request that their data is no longer processed by us, and their data will be removed on request, provided there is not an exemption under Data Protection Law.  In the case of marketing data there is an unsubscribe button on each communication, which results in the cessation of communications. A stub entry is kept as a record of the subject’s wishes.

In addition to the above, The National Archives carries out a bi-annual audit of its Information Asset Register. Each Information Asset Owner, who is usually a department head, fills in a report describing additions, deletions or changes to their assets