General Data Protection Regulation (GDPR) and library authority data Roberto Gomez Prada Ricardo Santos National Library of Spain Prepared for: EURIG Members Meeting 3rd May, Budapest
GDPR Facts Supersedes the Data Protection Directive 95/46/EC Adopted in April 2016, enforced in 25 May 2018. It has 98 articles and 173 whereas clauses. It’s a regulation, so it’s directly binding and applicable in Member States. Extra-territorial applicability: it applies to all companies processing the personal data of individual residing in the Union, regardless of the company’s location or where the data is processed . United Kingdom passed the Data Protection Act 2018, with equivalent regulations and protections
Goals Strengthen citizens' fundamental rights in the digital age. Give control to citizens over their personal data Harmonize and simplify the rules throughout the European states 28 different regulations
Personal data is any information that relates to an identified or identifiable individual. (art. 4) This Regulation does not apply to the personal data of deceased persons. (whereas 27) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing means any operation on personal data, such as collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available… (art. 4)
GDPR for organizations Legal basis for processing (art. 6) (Can we process data?): Consent (explicit, clear and unambiguous) Legal obligation (legal deposit?) Public interest Organisation’s legitimate interest Processing of data must be (art. 5): According to, and only the data necessary, the stated specific purposes. Stored no longer than necessary. Accurate and up-to-date.
Consent can be skipped if there is legal obligation or public interest for collecting data Data erasure or others are limited by: Freedom of expression safeguards. Archival exemptions (provided the institution has the legal obligation to preserve). Scientific or historical research. Those limits are not automatic. Member states should introduce them or not. Exceptions & Limits It isnt clear if “scientific or historical research” applies to authority data, or if this data is stored for the “legal obligation”
BIG QUESTIONS REMAINS Considerations of authority data: Is it “personal data”? What’s the legal framework for an authority file? Can the “public interest” or “legal obligation” be invoked to skip consent? Can we deny “right to be forgotten” on those grounds? Can we freely distribute authority data (to VIAF, for instance)? 1 – According to the law definition for “personal data”, it’s, because it allows to identify a livinf person (a name string; a dte of birth, an URI). “sensitive data” is less probably to be included. 2- Should the same rules apply to an authority file than a customer database, or even a library users’ file?
RDA: fuel to the fire RDA improves both quality and quantity regarding authority data: Person elements that can include sensitive information Information can be taken from any source Prescribes no limitation
RDA: fuel to the fire
RDA: fuel to the fire
BNE experiences - How did we face GDPR? Ask for advice!! BNE cataloguing staff We are librarians, not lawyers (not familiar with legal issues) BNE legal office We are part of the Public Administration (cannot act on our own) Solicitor General of Spain Responsible for advising the Administration about issues of legality. Its reports are binding. Spanish Data Protection Agency External private auditors
BNE experiences – Which advice did we get? Concerning BNE authority data, GDPR did not bring a big change from former Spanish data protection law (1999) BNE is officially authorized (by Solicitor General of Spain) to publish authority data BNE is the one to decide which data is necessary for authority control Recommendation is made not to process data which is not clearly useful for authority control (Art. 5.1.c.) Recommendation is made to delete sensitive data if authors ask for it Recommendation is made to keep a “soft” position when in dispute about published data BNE authority data has always been open. Technological features that make it accessible for a wider community, such as its publication as LOD, do not change the legal nature of this open access (although the number of claims is expected to increase)
BNE experiences – What we decided to do Guidelines for a general policy (to be officially formulated) Not to record sensitive data: “sensitive” concept to be defined, somehow similar to GDPR Art.9: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union members, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation Record only information found in public sources Create a legal form to achieve written consent when recording information obtained directly from authors
BNE experiences – How do we act in claiming cases Claimings accepted Data correction Hide pseudonymous relationships Hide dates (Notice that hide ≠ delete!! We use local MARC 21 fields) Claimings rejected Deletion of resources Deletion of authority record Deletion of relationships between resources and authority records Exceptions? Sure!!
VIAF WG will work in defining a protocol for common cases What about VIAF? Is VIAF a third party? VIAF is not a national public body, so the interpretation of the regulation may not be the same as for BNE authorities But VIAF is an aggregator: its policies should be an extension of its sources’ policies VIAF WG will work in defining a protocol for common cases
European Union official webpage More info GDPR: legal text European Union official webpage IFLA leaflet on GDRP
Thanks! Roberto Gómez Prada Ricardo Santos National Library of Spain roberto.gomez@bne.es ricardo.santos@bne.es Images : Biblioteca Digital Hispánica Template and fonds: SlidesCarnival