Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Data Protection Regulation (GDPR) and library authority data

Published byΕυδώρα Παπαφιλίππου Modified over 5 years ago

Similar presentations

Presentation on theme: "General Data Protection Regulation (GDPR) and library authority data"— Presentation transcript:

1 General Data Protection Regulation (GDPR) and library authority data
Roberto Gomez Prada Ricardo Santos National Library of Spain Prepared for: EURIG Members Meeting 3rd May, Budapest

2 GDPR Facts Supersedes the Data Protection Directive 95/46/EC
Adopted in April 2016, enforced in 25 May It has 98 articles and 173 whereas clauses. It’s a regulation, so it’s directly binding and applicable in Member States. Extra-territorial applicability: it applies to all companies processing the personal data of individual residing in the Union, regardless of the company’s location or where the data is processed . United Kingdom passed the Data Protection Act 2018, with equivalent regulations and protections

3 Goals Strengthen citizens' fundamental rights in the digital age. Give control to citizens over their personal data Harmonize and simplify the rules throughout the European states 28 different regulations

4 Personal data is any information that relates to an identified or identifiable individual. (art. 4)
This Regulation does not apply to the personal data of deceased persons. (whereas 27) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

5 Processing means any operation on personal data, such as collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available… (art. 4)

6 GDPR for organizations
Legal basis for processing (art. 6) (Can we process data?): Consent (explicit, clear and unambiguous) Legal obligation (legal deposit?) Public interest Organisation’s legitimate interest Processing of data must be (art. 5): According to, and only the data necessary, the stated specific purposes. Stored no longer than necessary. Accurate and up-to-date.

7 Consent can be skipped if there is legal obligation or public interest for collecting data
Data erasure or others are limited by: Freedom of expression safeguards. Archival exemptions (provided the institution has the legal obligation to preserve). Scientific or historical research. Those limits are not automatic. Member states should introduce them or not. Exceptions & Limits It isnt clear if “scientific or historical research” applies to authority data, or if this data is stored for the “legal obligation”

8 BIG QUESTIONS REMAINS Considerations of authority data:
Is it “personal data”? What’s the legal framework for an authority file? Can the “public interest” or “legal obligation” be invoked to skip consent? Can we deny “right to be forgotten” on those grounds? Can we freely distribute authority data (to VIAF, for instance)? 1 – According to the law definition for “personal data”, it’s, because it allows to identify a livinf person (a name string; a dte of birth, an URI). “sensitive data” is less probably to be included. 2- Should the same rules apply to an authority file than a customer database, or even a library users’ file?

9 RDA: fuel to the fire RDA improves both quality and quantity regarding authority data: Person elements that can include sensitive information Information can be taken from any source Prescribes no limitation

10 RDA: fuel to the fire

11 RDA: fuel to the fire

12 BNE experiences - How did we face GDPR?
Ask for advice!! BNE cataloguing staff We are librarians, not lawyers (not familiar with legal issues) BNE legal office We are part of the Public Administration (cannot act on our own) Solicitor General of Spain Responsible for advising the Administration about issues of legality. Its reports are binding. Spanish Data Protection Agency External private auditors

13 BNE experiences – Which advice did we get?
Concerning BNE authority data, GDPR did not bring a big change from former Spanish data protection law (1999) BNE is officially authorized (by Solicitor General of Spain) to publish authority data BNE is the one to decide which data is necessary for authority control Recommendation is made not to process data which is not clearly useful for authority control (Art. 5.1.c.) Recommendation is made to delete sensitive data if authors ask for it Recommendation is made to keep a “soft” position when in dispute about published data BNE authority data has always been open. Technological features that make it accessible for a wider community, such as its publication as LOD, do not change the legal nature of this open access (although the number of claims is expected to increase)

14 BNE experiences – What we decided to do
Guidelines for a general policy (to be officially formulated) Not to record sensitive data: “sensitive” concept to be defined, somehow similar to GDPR Art.9: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union members, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation Record only information found in public sources Create a legal form to achieve written consent when recording information obtained directly from authors

15 BNE experiences – How do we act in claiming cases
Claimings accepted  Data correction Hide pseudonymous relationships Hide dates (Notice that hide ≠ delete!! We use local MARC 21 fields) Claimings rejected  Deletion of resources Deletion of authority record Deletion of relationships between resources and authority records Exceptions? Sure!!

16 VIAF WG will work in defining a protocol for common cases
What about VIAF? Is VIAF a third party? VIAF is not a national public body, so the interpretation of the regulation may not be the same as for BNE authorities But VIAF is an aggregator: its policies should be an extension of its sources’ policies VIAF WG will work in defining a protocol for common cases

17 European Union official webpage
More info GDPR: legal text European Union official webpage IFLA leaflet on GDRP

18 Thanks! Roberto Gómez Prada Ricardo Santos National Library of Spain
Images : Biblioteca Digital Hispánica Template and fonds: SlidesCarnival

Download ppt "General Data Protection Regulation (GDPR) and library authority data"

Similar presentations

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.

Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;

What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
Data Protection Overview

Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
European data protection and privacy regulations Johny GASSER Orange Business Services – Consulting & Solutions Integration International Cyber Center.

European data protection and privacy regulations Johny GASSER Orange Business Services – Consulting & Solutions Integration International Cyber Center.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.

Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
IT Applications Theory Slideshows By Mark Kelly Vceit.com Privacy Laws.

IT Applications Theory Slideshows By Mark Kelly Vceit.com Privacy Laws.
Data protection and European citizens’ initiatives

Data protection and European citizens’ initiatives
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Similar presentations

Ads by Google