The National Library of Wales is required by law to comply with the Data Protection Act 1998. The purpose of data protection legislation is to ensure that personal data is not processed without the knowledge and, except in certain cases, the consent of the data subject, to ensure that personal data that is processed is accurate, and to enforce a set of standards for the processing of such information. Unlike the Data Protection Act 1984 the 1998 Act covers data held in manual files as well as computer files.
The National Library of Wales needs to keep certain information about its employees, suppliers, contractors and users of its facilities and services, to enable it, for example, to monitor and record progress and regulate the use of its facilities. It also needs to process information so that staff can be paid, courses organised, financial records maintained, and the requirements of government and funding bodies satisfied. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this the Library must comply with the Data Protection Principles that are set out in the Data Protection Act 1998. In summary these state that Personal Data shall be:
Library staff and all others who process or use any personal information must ensure that they follow these principles at all times. This policy is a statement of the measures which the Library has adopted to ensure that it is able to comply with the requirements of the Data Protection Act 1998.
1. The Data Protection Officer and the Departmental Coordinators
1.1 The National Library of Wales, as a corporate body, is the Data Controller under the Act and the Library's Council, as the governing body of the Library, is ultimately responsible for implementation. However, each Department has appointed Departmental Data Protection Coordinators, to whom, in the first instance, internal enquiries relating to the holding of personal data should be referred.
1.2 The Library's Data Protection Officer (DPO), who is the named contact with the Information Commissioner, is Dr Aled Gruffydd Jones, Chief Executive and Librarian, telephone 01970 632805, e-mail address: firstname.lastname@example.org. The Rights and Information Manager will be the Deputy Data Protection Officer. The DPO will ensure that the Library's Data Protection Registration is kept up to date, based on information received from the Departmental Data Protection Coordinators.
1.3 The DPO is responsible for keeping the policy up to date with the assistance of the Information Compliance Committee, an internal committee established to implement the requirements of the Act. The DPO is also responsible for producing an annual report on data protection implementation within the Library.
1.4 Each Data Protection Coordinator is responsible for ensuring that the personal data held by their department is kept securely and used properly, within the terms of the Act. They are also responsible for informing the Data Protection Officer of the types of personal data held in their department, any changes or subsequent personal data acquired.
2. Notification of Data Held and Processed
2.1 All staff and users are entitled to:
2.2 The Library will therefore prepare and make available a statement of the types of personal data that it holds and processes and the reasons why that data is held. The Library's Data Protection pages on the website will include a link to the Library's entry in the Data Protection Register that details this information.
3. Staff Guidelines for Data Protection
3.1 It is the responsibility of each individual member of staff to:
3.2 All staff should ensure that any personal data that they control is included in the Library's registration. That includes personal data for such purposes as research, personnel records etc. Every Departmental Data Protection Coordinator will have copies of the Library's registration details and should be consulted if a member of staff has doubts about personal data that the member of staff controls. Staff have obligations as well as rights under the Act and the Library's Data Protection Policy.
3.3 Personal names, Library telephone numbers and e-mail addresses may be published on the Library's website unless the individual concerned indicates to the Data Protection Officer that they do not wish their personal details to be disseminated in this way. Those responsible for producing the Library's website will be responsible for ensuring that individuals named on the site have not declined permission.
3.4 Staff whose responsibilities include the supervision of temporary placements e.g. students on work experience, student placement schemes, etc, have a duty to ensure that the eight principles of the Act are observed at all times.
3.5 Staff should ensure that they are familiar with the Library's Data Protection Policy. Any breach of the Data Protection Policy, whether deliberate or through negligence, may lead to disciplinary action being taken, or access to Library facilities being withdrawn, or even criminal prosecution.
3.6 Timely training will be provided for all front-line staff. Other members of staff who wish to know more about the Data Protection Act should contact the Library's Training Officer to arrange appropriate training as well as visiting the Information Commissioner's website at www.ico.gov.uk for more general information. The induction training given to all new members of staff will include awareness of the Data Protection Act 1998.
4. Data Security
4.1 All staff are responsible for ensuring that:
4.2 It is Library policy that unauthorised disclosure is a valid reason for disciplinary action and may be considered gross misconduct which could lead to dismissal.
4.3 Incoming and internal mail
Items which are marked 'Personal' or 'Private and Confidential' or which appear to be of a personal nature, should only be opened by the addressee, unless other specific arrangements have been agreed. Unless mail items are marked in this way they will be considered not to contain confidential information, as designated by the Data Protection Act 1998.
4.4 Departmental Coordinators
Each Departmental Coordinator is responsible for ensuring that appropriate technical and organisational measures are taken within their department to ensure against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, such data. They are also responsible for keeping the Data Protection Officer informed of changes in the collection, use and security of personal data in their department.
5. Obligations of Library Users
5.1 Library users must ensure that all personal data supplied to the Library is accurate and up-to-date. They must ensure that the Library is notified of changes of address, etc.
5.2 Users who are undertaking research which involves handling personal data must ensure that:
6. Subject Consent to Processing Sensitive Information
6.1 In many cases the Library can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained.
6.2 The Library's contracts of employment make it clear that acceptance of the contract signifies the granting of consent for the processing of the personal data listed in the document referred to in 2.2 above.
6.3 The consent of staff employed before this Policy is implemented is assumed. Agreement to the Library processing specific classes of personal data is a condition of employment for staff.
6.4 Individual users signify during the registration process their consent to the processing of the personal data listed in the document referred to in 2.2 above.
6.5 Some Library posts and training opportunities will bring employees into contact with children and the Library has a duty under The Children Act 1989 and other enactments to ensure that staff are suitable for the job. The Library also has a duty of care to all staff and users and must therefore make sure that employees and those who use Library facilities do not pose a threat or danger to other users.
6.6 The Library may ask for information about a person's health or particular health needs for use in the event of a medical emergency. The Library may also ask for information about a person's criminal convictions, race, gender and family details. This is to ensure that the Library is a safe working environment, or to operate other Library policies such as sick pay policy or equal opportunities policy.
6.7 Because this information is considered sensitive, all prospective staff will be asked to give signed Consent to Process regarding particular types of information when an offer of employment is made. Offers of employment may be withdrawn if an individual refuses to consent to this, without good reason. Please refer to the document entitled ‘Statement concerning the processing of Sensitive Data' for further information.
7. Bequests, Donations, Purchases and Deposits
7.1 In the case of bequests, donations and purchases, ownership of the items in question passes to the Library, and unless there is explicit provision to the contrary, the Library becomes the Data Controller with primary responsibility for compliance with the Data Protection Act 1998.
7.2 In the case of deposits from external sources, whereby custody passes to the Library but ownership remains with the depositor, the Library will act as Data Processor, provided a contract has been signed as required by the 1998 Act leaving the depositor as Data Controller, unless there is explicit provision to the contrary.
7.3 All depositors must have a clear understanding of their continuing interest in the records. This will be clearly stipulated in the deposit agreement or in amendments to existing agreements.
8. Publication of Library Information
8.1 The Library produces and maintains a guide to the information that it holds and which is publicly available (the ‘Publication Scheme’) in accordance with the requirements of the Freedom of Information Act 2000.
8.2 Personal Data that is already in the public domain is not exempt from the Data Protection Act and must be processed in accordance with the requirements of the Act.
8.3 The following information relating to persons associated with the Library may be made available to the public (as part of the Library’s Publication Scheme or otherwise):
8.4 The Library's internal phone list will not be a public document.
8.5 Any individual having good reason for wishing personal details normally contained in these lists to remain confidential should contact their Departmental Data Protection Coordinator and the Data Protection Officer.
9. Rights to Access Information
9.1 Staff and users of Library facilities have the right to access any personal data that is being held about them in any format subject to certain exemptions in Schedule 2 of the Data Protection Act 1998.
9.2 Any person who wishes to exercise this right should make their request in writing, using the Library's Subject Access Request Form (an electronic version of the form can be downloaded from here) and sent (using registered post) to the Data Protection Officer.
9.3 The form must be accompanied by the sum of £10.00 which is the Library's administration charge for this service. The fee is non-refundable. The receipt of a request form will be acknowledged by the Library. The Data Protection Officer will require documents from the individual to establish his/her identity and confirm his/her address as well as details as to where they believe the requested information is held.
9.4 The Library aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 calendar days unless there is good reason for the delay. In such cases the reason for delay will be explained in writing to the data subject making the request.
10. Retention of Data
10.1 The Library will need to keep some forms of information for longer than others, in line with Financial, Legal or Archival requirements. A full list of retention periods is available from the Data Protection Officer.
11. Research Purposes Exemption
11.1 Records of questionnaires and contacts may be kept in line with the Library's Records Management Policy in order that the data can be revisited and / or re-analysed.
12.1 Compliance with the 1998 Act is the responsibility of all Library staff.
12.2 Any breach of the Data Protection Policy, whether deliberate or through negligence, may lead to disciplinary action being taken, or access to Library facilities being withdrawn, or even criminal prosecution.
12.3 Any questions or concerns about the interpretation or operation of the policy should be addressed to Dr Aled Gruffydd Jones, Chief Executive and Librarian, telephone 01970 632801, e-mail address: email@example.com who has overall responsibility for Data Protection at the Library.