180 likes | 188 Views
This article explores the impact of the General Data Protection Regulation (GDPR) on library authority data and provides guidelines for compliance. It discusses the legal framework, limitations, and key considerations for processing authority data, and highlights the role of the Resource Description and Access (RDA) standard in improving data quality. The experiences of the National Library of Spain (BNE) in facing GDPR challenges are also shared, along with their decisions and recommendations for handling authority data.
E N D
General Data Protection Regulation (GDPR) and library authority data Roberto Gomez Prada Ricardo Santos National Library of Spain Prepared for: EURIG Members Meeting 3rd May, Budapest
GDPR Facts Supersedes the Data Protection Directive95/46/EC Adopted in April 2016, enforced in 25 May 2018. It has 98 articles and 173 whereas clauses. It’s a regulation, so it’s directly binding and applicable in Member States. Extra-territorial applicability: it applies to all companies processing the personal data of individual residing in the Union, regardless of the company’s location or where the data is processed . United Kingdom passed the Data Protection Act 2018, with equivalent regulations and protections
Goals Strengthen citizens' fundamental rights in the digital age. Give control to citizens over their personal data Harmonize and simplify the rules throughout the European states
Personal data is any information that relates to an identified or identifiable individual. (art. 4) This Regulation does not apply to the personal data of deceased persons. (whereas 27)
Processingmeans any operation on personal data, such as collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available… (art. 4)
GDPR for organizations • Legal basis for processing (art. 6) (Can we process data?): • Consent (explicit, clear and unambiguous) • Legal obligation (legal deposit?) • Publicinterest • Organisation’slegitimateinterest • Processing of data must be (art. 5): • According to, and only the data necessary, the stated specific purposes. • Stored no longer than necessary. • Accurate and up-to-date.
Exceptions & Limits Consent can be skipped if there is legal obligation or public interest for collecting data Data erasure or others are limited by: Freedom of expression safeguards. Archival exemptions (provided the institution has the legal obligation to preserve). Scientific or historical research. Those limits are not automatic. Member states should introduce them or not.
BIG QUESTIONS REMAINS Considerations of authority data: Is it “personal data”? What’s the legal framework for an authority file? Can the “public interest” or “legal obligation” be invoked to skip consent? Can we deny “right to be forgotten” on those grounds? Can we freely distribute authority data (to VIAF, for instance)?
RDA: fuel to the fire RDA improves both quality and quantity regarding authority data: Person elements that can include sensitive information Information can be taken from any source Prescribes no limitation
BNE experiences - Howdidweface GDPR? BNE cataloguing staff We are librarians, notlawyers (not familiar with legal issues) BNE legal office We are part of thePublicAdministration (cannotactonourown) Solicitor General of Spain Responsible for advising the Administration about issues of legality. Its reports are binding. Spanish Data ProtectionAgency Externalprivateauditors Ask foradvice!!
BNE experiences – Whichadvicedidweget? • Concerning BNE authority data, GDPR didnotbring a bigchangefromformerSpanish data protectionlaw (1999) • BNE isofficiallyauthorized (bySolicitor General of Spain) to publishauthority data • BNE istheone to decide which data isnecessaryforauthority control • Recommendationismadenot to process data whichisnotclearlyusefulforauthority control (Art. 5.1.c.) • Recommendationismade to deletesensitive data ifauthorsaskforit • Recommendationismade to keep a “soft” position when in dispute aboutpublished data • BNE authority data has alwaysbeen open. Technologicalfeaturesthatmakeitaccessiblefor a widercommunity, such as itspublication as LOD, do notchangethe legal nature of this open access(althoughthenumber of claimsisexpected to increase)
BNE experiences – What we decided to do Guidelines for a general policy (to be officially formulated) • Not to record sensitive data: “sensitive” concept to be defined, somehow similar to GDPR Art.9: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union members, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation • Record only information found in public sources • Create a legal form to achieve written consent when recording information obtained directly from authors
BNE experiences – How do we act in claiming cases Claimings accepted Data correction Hide pseudonymous relationships Hide dates (Notice that hide ≠ delete!! We use local MARC 21 fields) Claimings rejected Deletion of resources Deletion of authority record Deletion of relationships between resources and authority records Exceptions? Sure!!
What about VIAF? • Is VIAF a thirdparty? • VIAF isnot a nationalpublicbody, so theinterpretation of theregulationmaynot be thesame as for BNE authorities But • VIAF isanaggregator: itspoliciesshould be anextension of itssources’ policies • VIAF WG willwork in defining a protocolforcommon cases
More info GDPR: legal text EuropeanUnionofficialwebpage IFLA leafleton GDRP
Thanks! Roberto Gómez Prada Ricardo Santos National Library of Spain roberto.gomez@bne.es ricardo.santos@bne.es Images : Biblioteca Digital Hispánica Template and fonds: SlidesCarnival