Unlocking Our Sound Heritage under the General Data Protection Regulation (GDPR)

In July 2017 Unlocking Our Sound Heritage (UOSH), a major Heritage Lottery funded five year partnership led by the British Library was launched. The project, which forms part of the British Library’s Save Our Sounds programme, aims to preserve and provide access to as much as possible of the nation’s rare and unique sound recordings. It will be delivered by working closely with ten organisational partners across the UK who will digitise their own collections and selected content contributors. Over the five-years we hope to make 100,000 of these half a million digitised recordings (which range from oral history, wildlife sounds, popular and world and traditional music, radio, language and dialect) available through a freely accessible, purpose-built media player and website hosted by the British Library. In addition to innovative exhibitions and engagement activities in support of this.

One of a number of legal challenges to these aims is the General Data Protection Regulation (GDPR) which came into effect on 25 May 2018. In the UK this lead to the implementation of the 2018 Data Protection Act; the biggest change in privacy laws since 1998. These developments are not only a reflection of technological advancements in the last twenty years but also changing expectations around the protection of privacy.

The GDPR applies to all personal data which can identify a living person. This is referred to as personal and special category data and it can be anything from name and address, all the way through to political and religious beliefs. In order to comply institutions must adhere to the six principles of the GDPR which include: lawfulness, fairness and transparency in their processing of personal data. They must also identify if there is a legal basis for their processing of personal data and special category data. Processing in this context is an operation or set of operations performed on personal data, or sets of personal data which may include collection, recording, dissemination or retrieval.

For personal data three of the six lawful basis options are available to this project: consent, legitimate interests and performance of a task in the public interest. Each processing activity only needs one and there is no option to change the lawful basis further down the line. Some organisations like national libraries, museums, galleries and universities can rely on the performance of a task in the public interest as its lawful basis for processing personal data. The British Library is governed by the British Library Act 1972 and therefore meets this requirement, so for activities which are defined in the Act or the British Library’s Public Task Statement we rely on this exclusively. However for some of the UOSH partner hubs this is not available because they do not need to process personal data either in the exercise of ‘official authority’, or to perform a specific task in the public interest that is set out in law. An alternative legal basis for these institutions therefore is legitimate interest and as ever documenting why this basis has been selected is key.

Another type of legal basis available to the project is consent; however it is the most problematic since understanding of the term often blurs the lines between intellectual property, ethical practices of informed consent in oral history and data protection. To un-blur them we must differentiate between permission to record an individual and the rights needed to make a recording publically available from the consent of a data subject to process their personal data. The main concern is that consent would be required not only from the person speaking but the people they are speaking about. In a practical sense it would be impossible to achieve this and if withdrawn, consent could not be substituted for another legal basis.

Special category data requires a different lawful basis to those mentioned above, this is because the type of personal data it covers such as political beliefs, religious beliefs, race, ethnicity, or sexuality are considered more sensitive than ‘regular’ personal data, such as name, address or data of birth . Article 9 outlines special category data under GDPR and prohibits its processing unless one of the listed provisos apply, for both the British Library and the UOSH partner hubs on this project that is ‘Archiving in the Public Interest’.

For all of our processing of personal and special category data we will rely on the exemptions in Article 89 of GDPR which confusingly is also referred to as ‘Archiving in the Public Interest’. This allows for processing if appropriate safeguards are in place and exempts us from various data subject rights such as erasure or restriction of processing. However for it to apply the safeguards must be designed to prevent causing substantial damage or distress to a living individual.

Understanding and defining what we as an institution mean by substantial damage or distress is an essential focus of our work on the UOSH project. Legal definitions of these terms are difficult to find which leaves them open to interpretation. We can broadly say that damage is financial, physical or reputational in nature and can look to existing law such as defamation, contract and tort for guidance. However distress is far more subjective, based on previous case law we know it can mean embarrassment, anxiety, disappointment, loss of expectation, upset and stress, but that must go beyond annoyance or irritation, strong dislike or a feeling that the processing is morally wrong. One option is the construction of a two stage process, stage one we consider what the individual with the complaint says and stage 2 we examine what the ‘ordinary’ person might say. How as an institution we determine what this means and how it works in practice; and how we ensure it represents this ‘average’ view, is still in progress.

Objective and consistent decision making of which recordings are more or less likely to cause a living individual distress if placed online is and will continue to be a challenge. Those of us making these judgements must be aware of our inherent biases and ensure a wide range of opinions and guidance is sought. The process will always be subject to change in terms of our interpretations, the interpretations of others and following the outcome of case law and regulatory guidance. As ever good documentation of these decisions are key.

The GDPR brought about essential changes to privacy law in the EU and through the UK’s new Data Protection Act (2018) it will continue to impact a project such as this after the UK leaves the EU in March 2019. Like any digitisation project seeking to place large amounts of content online, how to comply with data protection law requires considerable attention. However, unlike many online access initiatives a high proportion of the content we wish to make available contains the personal information of identifiable living individuals and the assessment of which requires hours of listening time. As we embark on this relatively unchartered territory we have the opportunity to develop new and innovative processes and assessment methods in this area of audio heritage, data protection and online access. We are excited about the work we are doing and hope by the end of the project we will have a number of tried and tested methods which will help future endeavours in this area.

With thanks to: James Courthold (Information Compliance Manager, British Library) and Sue Davies (Project Manager, Unlocking Our Sound Heritage, British Library).

For more information on UOSH please visit https://www.bl.uk/projects/unlocking-our-sound-heritage and follow us on Twitter @BLSoundHeritage.