Derby City Council operates a very strict Data Protection policy in its libraries; it stipulates that volunteers have no access to the Library Management system. They are unable to view any personal data of Library members. Only paid Council employees can access the system.
On the 25th May 2018, the rules are being tightened even further by the General Data Protection Regulations (GDPR) and many organisations throughout the UK are having to review the level of consent that they have and are assessing whether it is GDPR compliant. Generally this will consider how the consent was obtained and whether it is “specific and informed”.
This means that the individual must know, explicitly, who is relying on the consent, including the names of 3rd parties, and the purposes for which the data will be used.
In the next few weeks, the 1st library, Sinfin, will be run by Direct Help and Advice, in conjunction with the Citizen’s Advice Bureau. They will be given open access to the Council’s Library Management System (LMS) which contains the personal details of all library users in Derby, Derbyshire and Nottingham. As the 10 Community Managed Libraries (CMLs) will, by definition, be run by volunteers, this presents a conundrum for the Council and their Data Protection policy.
By their own rules, none of the volunteers in the CMLs should be allowed access to the system that allows book-lending to take place. If they do, then this represents a change to the Council’s policy. Additionally, the Council will be sharing the data with external organisations. Both of these will breach the previous privacy notice that Library members signed; this implies, clearly, that the consent must be renewed.
The Information Commissioner’s Office guide to “Processing personal data fairly and lawfully (Principle 1)” states:
“…individuals should generally be able to choose whether or not their personal data is disclosed to another organisation. If your intention to disclose information in this way was not made absolutely clear at the outset, at a time when the individual had the option not to proceed in their business relationship with you, then you will usually have to get the individual’s consent before making such disclosures”.
With the fundamental change in the way that Libraries are operated ( 3rd party volunteer led organisations) happening at the same time as the sharpening and tightening of the Data Protection regulations it is incumbent on the Council to have assessed how this was going to be addressed and to advise the public. Thus far there is no evidence of any measures having been taken.
As a minimum there must be a programme to request renewal of consent from every library user, before access is granted to 3rd Party volunteers.
This is not a matter of choice, but a matter of legal compliance.
The fines for breach of data protection principles are severe and can be up to £20m or 4% of turnover, whichever is the highest. It is a risk. Is it a risk worth taking in order to continue with an unpopular policy which would, without doubt, breach Data Protection regulations?
Derby City Council was asked to comment on how it was addressing this issue – it declined to offer a response.