Archives and data protection law in the UK – an overview

The National Archives has co-produced detailed guidance about data protection legislation. These web pages and guidance only cover the areas specifically relating to archives and archiving.

There are many resources available on the Information Commissioner’s Office (ICO) website to give guidance on general provisions in GDPR, including the lawful basis for processing and the rights of individuals under GDPR.

The Archives and Records Association, UK and Ireland (ARA) have been discussing and planning a revised Code of Practice (or Code of Conduct) for record-keepers with colleagues across the public, private and voluntary sectors which they aim to register with the ICO towards the end of 2018. This will include detailed practical advice, such as templates and FAQs. It will be different from – but will complement – the archives exemption guidance.

Key facts


  • In general, ‘archiving’ which complied with the 1998 Data Protection Act will continue to be permitted under the new law. No drastic change is required.


  • Data protection applies to processing of digital information about people, and information in some manual filing systems.
  • Data protection law only applies to data of living persons, not to all records in an archive.
  • The new laws give people greater control over information held about them, and enhance protections, while still enabling legitimate use by others.
  • In general, personal data must be processed for a specified purpose, and kept for no longer than that purpose requires.
  • Individuals have greater rights over their data, including the so-called ‘Right to be Forgotten’.


  • The law recognises that there is a public interest in permitting the permanent preservation of personal data for the long-term benefit of society where relevant.
  • There is a specific provision for this – ‘archiving in the public interest’. This can apply to archiving by public, private or voluntary bodies.
  • Processing data for archiving purposes must be distinguished from processing that supports daily business, as the exemption does not apply in those cases – for example, data gathered for marketing purposes. It also needs to be transparent.
  • Safeguards must be met to use the exemption which minimise any adverse impact on living individuals.
  • Public use of ‘archived’ personal data will generally be possible once the people concerned are dead, and may be possible earlier if the use is fair to the individuals in the records.