Data Protection and the National Archives Act

Answers

1. How are the National Archives Act and the Data Protection Act compatible?
   Both of these Acts operate within a legal framework for the management of government records that also includes other statutes relating to areas such as Freedom of Information and Open Data. The central tenet of all of these pieces of legislation is safeguarding citizens’ rights through government transparency and accountability.
   Compliance with the National Archives Act will ensure that government records worthy of permanent preservation as archives will be retained and transferred to the National Archives as per Article 89 of GDPR (see Question 3). If records do not warrant permanent preservation, section 7 of the National Archives Act provides for their secure destruction once they have been deemed of no archival value (see Question 9). This in turn provides an important audit trail for the active management of government records, as stipulated in Article 30 of GDPR (see Question 4).
2. What section(s) of the National Archives Act, 1986, are relevant to the interpretation of GDPR?
   The National Archives Act, 1986 in its entirety applies to all departmental records regardless of whether they contain personal data as defined in Article 4 of GDPR or special categories of personal data as defined in Article 9.
3. What articles of GDPR are relevant to archiving?
   Article 89 of GDPR allows for the processing of personal data for ‘archiving purposes in the public interest’ provided the data was obtained using one of the legal principles as set out in Article 6. Departments of State should only be collecting personal data that is necessary for the performance of their statutory functions. The legal basis underlining Article 89 is further expanded in Recitals 156 – 163 of GDPR.
   This means that departmental records that have been identified as warranting permanent preservation as archives must be retained by Departments of State and transferred to the National Archives after 30 years, including records that contain personal data.
4. When is retention for archiving purposes allowed?
   Article 30 of GDPR stipulates that all organisations that process personal data must be actively managing their records. This means that all Departments of State are required to have a documented records management policy in place. This policy demonstrates why records are created, the business function they support, the legal basis for the creation and retention of these records, and the information they contain. Records worthy of permanent preservation should be identified in this policy and the National Archives Act, 1986 should be used as the legal basis for their retention. Please see our generic retention schedule as a guide for identifying record series of archival value.
   Any records identified as warranting permanent preservation and eventual transfer to the National Archives are exempt from the requirements for the disposal of records under Article 89 of GDPR.
   Compliance with the National Archives Act, 1986, is crucial for auditing under GDPR and to justify retention of departmental records beyond their business or legal requirements.
   This records management policy should apply to all records and not just those containing personal data.
5. Why is Article 5 of GDPR relevant to the retention of records as archives?
   Article 5 of GDPR states that ‘personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest.’
6. What is defined as longer periods in GDPR?
   No definition is given in GDPR of what is meant by ‘longer periods.’ A Department of State that fails in their obligations under Article 30 may be in breach of this definition if they fail to demonstrate in their policy for the retention of records that an assessment has been made of the legal basis and business need for the retention of such data.
7. What safeguards must be put in place for personal data that warrants permanent preservation as archives?
   Departmental records containing personal data and identified as warranting permanent preservation as archives must not undergo any further processing other than their preparation for transfer to the National Archives. These records should be stored securely or on a secure server to prevent any further processing, including additions to closed files or deletion of records. The information in these records cannot be used for any other purpose than which the data was originally obtained. Any attempt by a Department of State to use this information for any purpose other than the original purpose for which the information was obtained or for processing for transfer to the National Archives will be in breach of Article 5 of GDPR.
8. Why is section 7 of the National Archives Act, 1986, relevant to GDPR?
   Section 7 of the National Archives Act, 1986, sets out the process by which Departments of State must apply for the disposal of records that do not warrant permanent preservation as archives. Section 7(7) stipulates that Departments of State must facilitate access by officers of the National Archives to undertake an appraisal survey of any records for which disposal is applied.
9. What does ‘warrants preservation’ as archives mean?
   Warrants preservation is not defined in section 7(4)(b) of the National Archives Act, 1986. Appraisal by National Archives staff is based on a professional assessment of the records, including interviews with relevant staff to obtain details of why the records were created and the functions they support. This appraisal procedure is underlined by the experience and training of archivists in the National Archives and their adherence to professional codes of ethics and international standards of best practice as developed by bodies such as the International Council on Archives and the European Archives Group.
10. What is the definition of personal data?
    Personal data is defined in Article 4(1) of GDPR as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
11. What is the definition of processing?
    Processing is defined in Article 4(2) of GDPR as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.’
12. What is the legal basis for processing of personal data by Departments of State?
    The legal basis for the processing of personal data by Departments of State will depend on their functions and the legal basis for these functions. Each Department of State should be aware of the legislation that underpins their ability to carry out their work, including any limitations on their ability to collect or process personal data.
13. Who is legally responsible for records identified as warranting permanent preservation as archives?
    Departments of State remain legally responsible for all departmental records in their custody until they are transferred to the National Archives (under the 30 or 20 year rule) and a Certificate for the Release of Records to the is public signed by a Certifying Officer or an officer working under the direction of a Certifying Officer.
14. Will all records warranting permanent preservation as archives be transferred to the National Archives?
    No. Some departmental records identified as warranting permanent preservation will be retained permanently in the archives of the Department of State. These may include, but are not limited to, personnel records, which should be retained for 100 years (S.I. No. 281/1997). Certificates for the Disposal of departmental Records signed by the Director of the National Archives should also be retained.
    All departmental records warranting permanent preservation will be transferred to the National Archives ultimately. There is provision within the National Archives Act, 1986, for the withholding or retention of departmental records on specified grounds under section 8(4) and section 8(2). All such records must be reviewed every 5 years and transferred to the National Archives if the reason for their retention no longer applies.
15. What about records withheld under section 8(4) due to data protection concerns?
    Records with data protection concerns should be withheld by the Department of State following the appropriate certification under section 8(4) of the National Archives Act, 1986. Access to closed files should be restricted and no further processing should take place. An access policy should be developed by the Department of State and strictly adhered to. This policy may include stipulations that access can only be given to the individuals named in the file until data protection no longer applies.
    It is advisable that Departments of State also provide a mechanism for any approaches by other interested parties such as academic historians. Such a policy should provide a contact through which all requests are received to ensure consistency in how this policy is implemented. It should also stipulate any requirements for anonymisation/pseudonymisation of personal data to be published. Any access policy developed by the Department of State should adhere to their legal responsibilities as set out in Data Protection legislation and should be strictly, and consistently, applied by the department.
16. Are Departments of State in breach of GDPR if they hold records over 30 years old that should have been transferred to the National Archives?
    Where records have been identified as warranting permanent preservation as archives but transfer to the National Archives has not taken place, the Department of State will not be in breach of GDPR if measures have been put in place to restrict access and prevent further processing.
    If no appraisal of the records has taken place the definition of longer period in GDPR for the retention of records may have been breached. Article 30 of GDPR states that data controllers and processors must be proactive in the management of their records.
    This should include the proactive management of departmental records throughout their lifecycle, including the development of retention and disposal schedules.
17. How do Departments of State determine what records to retain?
    Departments of State should follow guidance issued by the National Archives (see Retention Schedule). The National Archives would also strongly advocate for the appointment of a professionally qualified archivist/ records manager as a permanent member of staff, who can put in place systems and processes for the identification of departmental records that warrant permanent preservation. The National Archives will provide advice and guidance to individuals with responsibility for records management and archives within Departments of State.
18. Who is responsible for records management in Departments of State?
    Under the National Archives Act, 1986, the Minister for Public Service, now the Minister of Finance, is responsible for records management policy within Departments of State. The National Archives Act, 1986, provides no statutory basis for the involvement of the National Archives in records management policy within Departments of State. The National Archives can only provide guidance for departmental records over 30 years old under the terms of the current legislation.
    The National Archives recognises the inadequacy of this situation, particularly with regard to the management of electronic records. In the absence of a records management policy for the Civil Service, the National Archives provides advice to Departments of State on the management of their records on an informal basis, subject to available resources.
19. Within what timeframe must a request for the disposal of records under section 7 of the National Archives Act, 1986, be made?
    There is no obligation under the National Archives Act, 1986, on Departments of State to dispose of any of their records. However, failure to do so may result in breaches of other legislation within the regulatory framework within which Departments of State operate. This may include, but may not be limited to, GDPR.
    Where disposal of records is to take place, the procedures as set out in section 7 of the National Archives Act, 1986, must be followed. Where disposal of records, in both paper and electronic format, takes place without the approval of the Director of the National Archives the Department of State will be in breach of section 7 of the National Archives Act, 1986.
20. Does the mechanism for disposal under section 7 of the National Archives Act, 1986, apply to both paper and electronic records?
    Yes. The format of the record is irrelevant for the purposes of the National Archives Act, 1986. Section 7 also applies to any departmental records scanned for access or to limit storage costs.
    A scanned copy of a record is not the official record and may have no legal standing.
    The only exceptions to this are duplicates or printed material that do not require permission for disposal. A duplicate record is an exact copy. Any annotations or changes will render the document an original record.
21. What happens if a request for disposal of records is rejected?
    Where a request for disposal has been refused by the Director of the National Archives on the grounds that the records warrant permanent preservation as archives, the Department of State is obliged to retain the records and prepare them for transfer after 30 years to the National Archives.
    Departments of State are strongly advised to be cognisant of retention periods in implementing their filing systems. Record series that have different retention periods should not be filed together as it makes appraisal at a series level impossible without a major input of staffing resources. In cases where various record series have been filed together, it will not be possible to grant disposal until some preparation work has been completed.
22. What if there is a long delay in the processing of a request for disposal under section 7 of the National Archive Act, 1986, by National Archives staff?
    Once a Department of State is actively managing their records and applying for disposal of records that do not warrant permanent preservation as archives, they will be fulfilling their legal responsibilities under GDPR. The National Archives will endeavour to process applications in as efficient a manner as current resources allow. Some delay in the processing of applications is inevitable due to current staffing restraints.
23. Is a request to dispose of records obligatory?
    No, but records made or received or held by a Department of State cannot be destroyed without a signed certificate for their disposal issued by the Director of the National Archives. Disposal of any records without the required permission, including records scanned for access or to reduce storage, is a breach of section 7 of the National Archives Act, 1986.
24. Does the National Archives Act, 1986 and GDPR apply to both paper and electronic records?
    Yes. The National Archives Act, 1986, applies to all departmental records in both electronic and paper format. GDPR applies to records in both paper and electronic format that contain personal data as defined in Article 4 of GDPR.
    The majority of Departments of State operate in a hybrid environment. This means that they are working with both paper records and born digital, or electronic records. Any records management policy should take this into consideration. File classification schemes should apply to both paper and electronic records. A record series that contains both digital and paper records should be subject to the same file classification scheme and retention periods. Any discrepancy in the application of the same file classification to a series based on format will lead to problems such as identification of records at a later stage. This may result in the unnecessary retention or unauthorised disposal of records. The business function of a Department of State should form the basis of any file classification scheme, regardless of the format of the records.
25. Can a Department of State destroy a record if a request has been received under article 17 of GDPR (the Right to Erasure)?
    Not without due consideration of all legislative obligations, including the National Archives Act. Where a request for the erasure of a record has been received, the Department of State should refer to their retention policy.
    The Right to Erasure in Article 17 of GDPR is a qualified right. Where a record series has been identified as warranting permanent preservation, the exemption for processing for archiving purposes in the public interest or historical or statistical research as set out in Article 89 will apply.
    Where an individual rejects this assessment, they have the right to make a complaint to the Data Protection Commission in the first instance and to engage with the legal procedures as set out in the Data Protection Act, 2018.
26. Will the National Archives assess such requests for erasure on an individual case basis on behalf of Departments of State?
    No. The National Archives will only assess applications for disposal on a record series level. Where an appraisal finds the series warrants permanent preservation as archives no permission for the disposal of the record will be given. The disposal of such records without a Certificate for Disposal of Departmental Records signed by the Director of the National Archives is a breach of section 7 of the National Archives Act, 1986.
    If the National Archives gives permission for the disposal of the record series on an ongoing basis the Department of State is advised to dispose of these records on a regular basis in accordance with their retention policy, provided they are no longer required to support business or legal functions, to prevent unnecessary retention of records and a consequent breach of their obligations under GDPR.
27. Does the National Archives need to be notified of a request for rectification of a record under article 16 of GDPR?
    Although the Department of State is the data controller, the National Archives should be consulted with regard to any requests for the rectification of departmental records, which have been identified as warranting permanent preservation for archiving purposes in the public interest. Once a record has been transferred to the National Archives it is deemed to be the permanent historical record. Requests for rectification should be recorded in accordance with Recital 65 of GDPR.
28. Does the National Archives Act, 1986 and GDPR apply to public bodies not named in the schedule to the Act?
    The schedule to the National Archives Act, 1986, lists 61 public bodies that are subject to the Act. Many of these bodies no longer exist or their functions have transferred to bodies created since 1986. For organisations that inherited the records of bodies listed in the Act, they are subject to the National Archives Act, 1986, with regard to the inherited records only.
    Following legal advice received by the National Archives, a non-textual amendment of the National Archives Act, 1986, may have taken place where reference is made to a pre-existing body in legislation establishing a new body that has inherited functions. In such cases, the new body may be subject to the National Archives Act, 1986, with regard to all of its records. The National Archives recommends that such bodies seek legal advice on their status under the National Archives Act, 1986.
    Where bodies have inherited records but no reference is made to the creating body in establishing legislation, there is currently no legal protection for records created since the establishment of the new body. In such cases, there is no legal mechanism in place for the appointment of a Certifying Officer to allow the provisions within the National Archives Act, 1986, for the retention, disposal or transfer of records to take place. In such cases, a Certifying Officer may be appointed with responsibility for inherited records only.
    In the absence of any plans to amend the National Archives Act, 1986, public bodies in this situation may apply for inclusion in the schedule to the National Archives Act, 1986, through the use of a Statutory Instrument.
    Despite the current legal situation, the National Archives would strongly urge any public body to consult with them about the retention of their records before any disposal takes place. As public and civil servants we have a legal and moral obligation to ensure that departmental records are protected and the historical record of Ireland kept intact.
    All public bodies are subject to GDPR as they process personal data in one form or another, either through their statutory functions or in their role as employers.
29. How can the records of a State body be brought within the scope of the National Archives Act, 1986?
    The records of an organisation can be brought within the scope of the National Archives Act, 1986, either through:
    Being added to the list of scheduled bodies by statutory order made by the Minister for Tourism, Culture, Arts, Gaeltacht, Sport and Media, as is provided for under Section 1(2)(d) and (e) of the Act,
    (d) The Taoiseach [now Minister for TCAGSM], after consultation with the Director and the Council, may by order amend the Schedule to this Act.
    e) Where an order under this subsection is proposed to be made, a draft of the order shall be laid before each House of the Oireachtas and the order shall not be made until a resolution approving the draft has been passed by each such House.
    or
    through giving its records the status of departmental records in accordance with Section 13:
    13.—(l) The Taoiseach [now the Min DCHG], at the request of a public service organisation, may declare the records or documents (or a particular class of such records or documents specified in the declaration) of that organisation to be Departmental records for the purpose of this Act.
30. How has article 89 of GDPR (archiving purposes in the public interest and scientific and historical research) been transposed in the Data Protection Act, 2018?
    Provision has been made in the Data Protection Act, 2018 for archiving purposes in the public interest in section 42 and archiving of special categories of data in section 54. These provisions apply to all records that warrant permanent preservation as archives in both the public and private sectors, including business, religious and community archives.
    Provision has been made in section 55(2)(e) for archiving purposes in the public interest for public bodies that hold records worthy of permanent preservation containing personal data relating to criminal convictions and offences, as set out in article 10 of GDPR.
    Provision has been made in section 71(6)(a) for the processing of personal data for archiving purposes in the public interest where the personal data was originally collected by a different data controller. This would include archive services who accession material from various data controllers, including Departments of State.
    Provision has been made in section 90(4) for restriction of the right of the data subjects to information held by an archive where obtaining such information proves impossible or would involve a disproportionate effort.
31. Are there any restrictions in the Data Protection Act, 2018 on the rights of data subjects with regard to the processing of records containing personal data identified as warranting permanent preservation in the public interest?
    Yes. Section 61(1) allows for restrictions on the exercise of the rights of data subjects where processing is for archiving purposes in the public interest. The rights of a data subject set out in articles 15 (right of access), 16 (right to rectification), 18 (right to restrictions of processing), 19 (right to notification of rectification, erasure or restriction of processing of personal data), 20 (right to data portability) and 21 (right to object) of GDPR are restricted to the extent that:
    The exercise of any of those rights would be likely to render impossible, or seriously impair, the achievement of those purposes, and
    Such restriction is necessary for the fulfilment of those purposes
    Where processing is taking place at the same time for any other purpose, other than archiving purposes in the public interest, these restrictions will only apply to processing for archiving purposes in the public interest.
32. Are there any implications for departments using commercial off-site storage?
    Departments of State that employ third party contractors, such as commercial storage companies, to manage their records are strongly advised to check the terms and conditions of any contract. Under GDPR, the data controller is liable for any data breach by a data processor. If the commercial storage company is found to be a data processor the Department of State will be liable.Departments of State should make regular visits to any off-site storage facilities, particularly those provided by commercial storage companies, to ensure adequate and appropriate security measures are in place. They should also ensure that any records stored in off-site storage are audited regularly and that only those records that are required for business or legal purposes or that are to be transferred to the National Archives at some future date are retained.