Last week, the trainees had our first official training visit together! We were greeted at the gates by the Pembroke Graduate Trainee, and the College Librarian, who joked that she could tell we were the library trainees because we were all so punctual (not to mention the bookish pins on our lanyards–it’s called fashion, darling). She delivered us safely to the wonderful Archivist, who had prepared an illuminating presentation about the importance of GDPR in library and archive work.
GDPR stands for ‘general data protection regulation’, and it basically addresses the ways in which data is gathered, used, stored, processed and deleted by institutions like the various colleges and companies we library trainees work for. Turns out, we have quite a significant responsibility as library workers, because a huge part of the job is processing and holding data about e.g. library users, donors, people whose personal items form part of archives. And the rules around how we use this data is not as straightforward as it might seem. The archivist gave us some thought-provoking scenarios specific to libraries and archives, such as whether it is okay to share a user’s borrowing history; the short answer is NO, definitely not, because this information can point towards more personal, protected data about an individual. She also introduced us to certain exemptions from GDPR regulations which are afforded to archives, such as data retention, even sometimes in the case of deletion requests, because such records are kept in the public interest. They might be historically significant, linked to the will of the individual, useful for education or commerce etc. The discussion really opened my eyes to how much responsibility an archivist holds; they are the guardians of people’s memories and histories–even if such memories are sometimes deeply personal, problematic or embarrassing.
Another part of the conversation I found especially useful was focused on situations in which data falls into the wrong hands. Data breaches can range from accidentally sending an email to the wrong person to a full-on data hack; big institutions like Amazon have paid millions due to large-scale data breaches, thanks to recent legislation which makes financial punishment proportional to the size of the company. Because these situations can be so nuanced it takes some careful judgement to know how to deal with each situation. In any case, though, the safest thing to do is to contact the Information Commissioner’s Office for advice. (Here’s hoping we trainees won’t have to do anything that serious! But it’s important to know what to do just in case).
After some tea and biscuits, and a look at some Pembroke archive items (including a matriculation photo featuring the well-known alum, Tom Hiddleston!), our conversation continued. Some good housekeeping tips we learned included simple things like keeping a tidy desk, being aware of who can see your computer screen, and turning it off when you aren’t at your desk. Also, checking email addresses are correct, not sharing passwords and familiarising yourself with any data policies your workplace has are good things to practice. One of the most useful takeaways for me was the archivist’s suggestion to imagine that the data in front of you is your own; how would you want it to be treated? There is a lot of logic and common sense behind GDPR regulations, but there are always pitfalls and blind spots which it can’t hurt to prepare for!