Data Protection Policy


The National Library of Wales (“The Library”) collects and uses information about people with whom it deals. These include employees past and present, contractors and suppliers as well as members of the public who use its facilities and services.

The Library regards the fair and lawful treatment of personal information as very important to its successful operation and to maintaining confidence between the Library and those people.

The Library is fully committed to compliance with the requirements of the Data Protection Act 1998 and related legislation and codes of conduct (“The Act”). The Act regulates the way it handles personal information which is collected in the course of its functions and gives certain rights to people whose personal information it may hold. The Library aims to ensure that all who have access to personal data held by it or on its behalf are fully aware of and abide by their duties and responsibilities under the Act.

This policy is a statement of the measures which the Library has adopted to ensure that it complies with the requirements of the Act.

Scope and definitions

The Data Protection Policy is relevant to all personal data that is obtained, held and used by the Library.

In this Policy, as in the Act itself, the following terms shall be defined as follows:

Personal Data

Data which relate to a living individual who can be identified

(a) from those data, or

(b) from those data and other information which is in the possession of, the data controller

and includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual

Sensitive Personal Data

Personal data consisting of information as to:

  • racial or ethnic origin;
  • political opinion;
  • religious or other beliefs;
  • trade union membership;
  • physical or mental health or condition;
  • sexual life;
  • criminal proceedings or convictions.

To control (personal data)

To determine the purposes for which and the manner in which any Personal Data are, or are to be, processed.

Data Controller

A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed.

To process (personal data)

To obtain, record or hold the information or data or carry out any operation or set of operations on the information or data.

Data processor

Any person (other than an employee of the data controller) who processes the personal data on behalf of the Data Controller.

The Principles of Data Protection

The Act stipulates that anyone processing personal data must comply with Eight Principles of good practice. These Principles are legally enforceable.

The Principles require that Personal Data:

  1. shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met;
  2. shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
  3. shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
  4. shall be accurate and where necessary, kept up to date;
  5. shall not be kept for longer than is necessary for that purpose or those purposes;
  6. shall be processed in accordance with the rights of data subjects under the Act;
  7. shall be kept secure i.e. protected by an appropriate degree of security;
  8. shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.

All members of Library staff must observe these Principles when processing Personal Data.

The Data Protection Officer

1.1 The National Library of Wales, as a corporate body, is the Data Controller under the Act and the Library’s Board of Trustees, as the governing body of the Library, is ultimately responsible for the implementation of the Act within the Library.

1.2 The Library’s Data Protection Officer (DPO), who is responsible for overseeing the Library’s compliance with the Act and is the named contact with the Information Commissioner, is Linda Tomos, Chief Executive and Librarian, telephone: 01970 632806, e-mail address: The Deputy Data Protection Officer is Carol Edwards,Governance Manager and Clerk to the Board, telephone: 01970 632923, e-mail

1.3 The DPO is responsible for immediately raising any serious breaches or risks of non-compliance with the Act with the Library’s Accounting Officer. The DPO is also, with the assistance of the Deputy DPO, responsible for keeping this Policy up to date, ensuring that the Library’s entry in the Data Protection Register (see 2.1) is updated regularly and for producing an annual report on data protection compliance within the Library.

1.4 The Director of Corporate Resources chairs the Information Compliance Committee. The Committee meets at least once a quarter to discuss relevant developments in law, the Library’s compliance with its requirements and any Subject Access Requests received.

1.5 Each Department has a Data Protection Coordinator who is a member of the Information Compliance Committee. Each Data Protection Coordinator has a leading role in ensuring that the Personal Data held by their department is stored securely and is used appropriately, in accordance with the requirements of the Act. They are also responsible for notifying the Deputy Data Protection Officer of the type of Personal Data held by their Department, and of any change or addition to the Personal Data that is processed by the department.

Notification of data held and processed

2.1 The Library will prepare and make available a statement of the types of personal data that it holds and processes and the reasons why that data is held. The Library’s Data Protection pages on the website will include a link to the Data Protection Public Register which contains further information on the types of data held by the Library and the purposes for which it is processed.

2.2 Under certain circumstances, usually relating to employment, the Library is required to process Sensitive Personal Data. Sensitive Personal Data will always be processed in accordance with the further conditions listed in the Act. More information may be found in the Statement concerning the processing of sensitive personal data.

Staff responsibilities: Processing Personal Data

3.1 All members of Library staff have a responsibility to ensure that the Data Protection Principles (listed above) are observed at all times.

3.2 Members of staff should ensure that they are familiar with the Library’s Data Protection Policy. Any breach of the Data Protection Policy, whether deliberate or through negligence, may lead to disciplinary action being taken, or access to Library facilities being withdrawn, or even criminal prosecution. Unauthorised disclosure is a valid reason for disciplinary action and may be considered gross misconduct which could lead to dismissal.

3.3 Members of staff should ensure that any Personal Data that they process is included in the Library’s registration in the Data Protection Public Register. The DPO or the Deputy DPO is to be informed of any processing of Personal Data carried out by, or on behalf of, the Library in order to ensure that the Information Commissioner’s Office has been notified.

3.4 All staff that supervise and collaborate with Data Processors (including volunteers, workers, students on work experience and external companies) have a duty to ensure that the requirements of Section 6 of this Policy have been met.

3.5 Although the Library has a dedicated form to complete when submitting a Subject Access Request, its completion by Data Subjects is not compulsory in order for the request to be valid (see section 7 of this Policy for more information on Subject Access Requests). Staff should give priority to any requests that may be regarded as Subject Access Requests and contact the DPO and/or Deputy DPO immediately.

3.6 Staff should ensure that the DPO and/or Deputy DPO have been notified of any proposed systems, documents or applications (such as spreadsheets or databases) that will be used to process Personal Data.

3.7 Managers should ensure that any guidelines, procedures or instructions given to staff are consistent with the Data Protection Principles and this Policy and that they are observed at all times.

3.8 Timely training will be provided for all staff that interact with the public on a regular basis and awareness sessions are held for all staff. There is a responsibility on managers to ensure that staff under their management are aware of their responsibilities under the Act. Managers and members of staff who wish to know more about the Data Protection Act and the Library’s Policy should contact the Library’s Training Officer to arrange appropriate training. The induction training given to all new members of staff will include awareness of the Act.

3.9 Staff should direct any internal enquiries relating to the processing of Personal Data to the Deputy DPO.

Staff responsibilities: Data security

4.1 It is a requirement of the Act that the Library processes Personal Data securely. All staff are responsible for ensuring that:

  • any Personal Data which they hold, whether in electronic or paper format, is kept, used, and, when appropriate, deleted securely at all times; and
  • personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party.

4.2 The technical measures taken by the Library to ensure that information is processed securely is described in the Information Security Policy and related sub-policies and procedures.

4.3 Each Data Protection Co-ordinator has a leading role in ensuring that appropriate technical and organisational measures are taken within their departments to ensure against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, such data. They are also responsible for keeping the DPO or Deputy DPO informed of changes in the collection, use or deletion of personal data in their department.

Staff responsibilities as Data Subjects

5.1 In relation to their own Personal Data, each individual member of staff is responsible for

  • ensuring that any information provided by them in relation to their employment is accurate and up to date;
  • notifying the Human Resources Unit of any change to the information submitted by them e.g. change of address;
  • notifying the Human Resources Unit of any inaccuracies or alterations.

Data Processors

6.1 Data Processors must process Personal Data in accordance with the Library’s Data Protection Policy and the related procedures. It must be ensured that a Data Processing Agreement is signed where appropriate.

Rights of Data Subjects

7.1 All Data Subjects, which include members of staff as well as users, are entitled to:

  • know what Personal Data relating to them is held and processed by the Library and the reasons for doing so and receive a response within 40 calendar days (Subject Access Request);
  • prevent processing causing damage or distress;
  • prevent processing for direct marketing;
  • prevent automated decision making;
  • claim compensation for misuse of their Personal Data;
  • take action to deal with misuse or inaccuracies.

7.2 Any person who wishes to exercise the above rights are asked to submit a Subject Access Request in writing to the DPO. Individuals wishing to submit a Subject Access Request are requested to use the Library’s Subject Access Request Form which can be sent either as an e-mail attachment or by post (using recorded delivery) to the DPO.

7.3 The Library charges an administrative fee of £10.00 for the Subject Access service. This fee is non-refundable. Also, the DPO will require documents from the individual to establish his/her identity and confirm his/her address as well as details as to where they believe the requested information is held. To avoid any delay, the payment and this information should be submitted with the Subject Access Request Form. The receipt of the Form will be acknowledged by the Library.

7.4 The Library aims to comply with requests for access to Personal Data as quickly as possible, but will ensure that it is provided within 40 calendar days unless there is good reason for the delay. In such cases the reason for delay will be explained in writing to the Data Subject making the request.

Obligations of Library users

8.1 Library users should ensure that all personal data supplied to the Library is accurate and up-to-date, and notify the Library of any changes (e.g. their home address).

8.2 Users who handle Personal Data contained in the Library’s collections must adhere to clause 10.1 of this Policy.

Close Circuit Television (CCTV)

9.1 The Library uses close circuit cameras on the Library’s premises for the purpose of security and safety. The cameras are used in accordance with the Information Commissioner Office’s guidelines and more information about the Library’s use of close circuit cameras can be found in the CCTV Policy.

Personal data and the Library’s collections

10.1 The Act may apply to collections that contain information about people who may still be living (depending on the way in which the information has been structured). Users who use these collections must ensure that:

  • the subject of their research is informed of the nature of the research and has given consent to their Personal Data being used;
  • the Deputy DPO is informed of the proposed research prior to its commencement; and that
  • all information is kept securely.

10.2 In the case of bequests, donations and purchases, ownership of the items in question passes to the Library, and unless there is explicit provision to the contrary, the Library becomes the Data Controller with primary responsibility for compliance with the Act.

10.3 In the case of deposits, whereby custody passes to the Library but ownership remains with the depositor, the Library will act as Data Processor. A contract will be signed between the Library and the depositor stating that the depositor remains the Data Controller, unless there is explicit provision to the contrary.

10.4 All depositors must have a clear understanding of their continuing interest in the records. This will be clearly stipulated in the deposit agreement or in amendments to existing agreements.

Policy review

11.1 This Policy is reviewed every three years unless there is a change in the Act, the guidance published by the Information Commissioner’s Office or another specified reason for undertaking a review. The Information Compliance Committee shall oversee the review and amendments shall be approved by the Unions and the Executive Team.

Was this page useful?