Is the content I’m sharing online data protection compliant?

Whatever the aims, if you are sharing personal data online, you need to comply with data protection laws. This guide by Dr Kit Good takes you through the key things you need to consider when sharing personal data online.

old computer with screen and floppy disc
Photo by bert b on Unsplash

Is the content I’m sharing online data protection compliant?

A website or social media account is an essential channel for the promotion of your organisation’s aims and activities.

Whatever the aims, if you are sharing personal data online, you need to comply with data protection laws. This guidance takes you through the things you need to consider.

Mapping to the UK GDPR diagram
Process for checking whether the content you’re sharing online is Data Protection Compliant – from definitions, to data protection principles through to rights. This process is outlined in detail in this resource below.

 

1. Know your data

Are you posting ‘personal data’?

Personal data is defined in data protection law as “information relating to an identified or identifiable living natural person.” Beyond obvious indicators such as name or contact details there may be other information that you hold that could directly, or in combination with other data, identify individuals. Some examples would be:

  • Name
  • Photographic image
  • Biographic information (date and place of birth, school or occupation)
  • Postal / Email address
  • Car registration
  • Bank / Credit Card details
  • Payslip
  • Passport or Driving Licence
  • Completed membership form
  • Record of donations

If you are posting personal data online you are, in data protection terms, ‘processing personal data.’ ‘Processing’ relates to any activity you carry out in regard to personal data, from collection through storage and analysis to deletion.

Are you a ‘data controller’?

If your organisation is processing personal data for the purposes of managing staff, working with volunteers or supporting individuals then it is a ‘data controller’ under data protection law, with a range of defined legal responsibilities.

A data controller:

  • decides what personal data they are collecting (e.g. name, email address or bank details and home address)
  • decides what purposes they are going to use the personal data for (e.g. keeping supporters updated with regular newsletters or paying staff salaries)
  • is responsible for managing the personal data in compliance with the law (e.g. keeping it secure, publishing a privacy notice)

In most cases you will need to register with the Information Commissioner’s Office (ICO) and can self-assess this requirement on their website: https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/

 

2. Know your high risk data

Are you posting ‘special category’ or ‘criminal convictions’ data?

Certain types of personal data are considered to be more sensitive and carry greater risk. If you are posting data on individuals relating to the following areas, defined as ‘special category data’ then extra consideration is required.

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • data concerning health
  • data concerning a person’s sex life or sexual orientation
  • genetic data or biometric data

If you are posting data relating to criminal convictions, then other data protection requirements come into play. We will look at these in the next section.

 

3. Have a good reason

What is our legal basis for processing personal data?

If you are processing any personal data, you need to have a good reason. In data protection law there are six legal bases for processing:

  • The individual has consented to the processing
  • The processing is necessary for a contract to which the individual is a party
  • Your organisation has a legal obligation to process the data, perhaps under charity law or the National Heritage Act 1983
  • Your organisation needs to process data to protect the vital interests of an individual
  • If your organisation is a public authority, they need to process data as part of their powers established in law
  • Your organisation has a legitimate interest in processing the data, balanced against the rights and freedoms of the individual

What are the most appropriate legal bases for posting information online?

Legal obligation or public task

There may be certain information related to Trustees or Senior staff in your organisation that might need to be added to a website or published in an annual report. This is likely to fit under ‘legal obligation’ or ‘public task’ as legal basis, depending on the nature of your heritage or charitable organisation.

Example – legal obligation legal basis

The Museum of Musical Instruments is a registered charity. As a charity, it has a legal obligation to publish an annual report with the names of its Trustees. The legal basis for this processing is ‘legal obligation.’

 

EXAMPLE – public authority / public task legal basis

The National Museum of Dance is a public authority under the Freedom of Information Act. It manages details of the dancers in its collection and posts these e.g., “Joan Smith, London, 1962- ” on its websites and social media accounts. This data processing comes under the legal basis of its public task as a cultural institution to develop and expand public access to its collection.

 

Consent

If your reason for posting data online is that an individual has said “yes you can post this online,” then you are using consent as your legal basis. There are, however, several caveats to ensure that the consent is valid.

The ICO states that “genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.” In order to make that consent valid, it needs to be:

  • a clear affirmative action: an “opt-in” rather than “opt-out”
  • fully informed: people need to know what they are opting into, who will be storing their data and how
  • freely given: there should be no power imbalance or implied pressure to provide the consent. The consent should be as easy to retract as it is to provide.
  • must be recorded: the organisation should retain a record of the consent

Example – invalid consent

The Museum of Musical Instruments is doing a vox pop of people queueing to enter. The member of staff conducting the survey says that everyone will be interviewed and that their name, where they travelled from and why they came will be added to the Museum’s Facebook page.

He states that if they don’t want to be included, they can opt-out at the front desk by asking for the manager. Everyone who has been coming to the museum has been doing this, he says, as he completes the interviews and leaves, preparing to post them to the page.

 

Example – valid consent

The Museum of Musical Instruments advertises in advance on its website that it will conduct a vox pop of people queueing to enter on a particular Saturday. It adds a sign to the queue, explaining the exercise and how the data will be used.

The interviewer asks each member of the queue if they’d like to participate, giving them a fact sheet explaining how the data will be used and a form to sign consenting for the information to be used. The fact sheet includes information on how to ask for the details to be removed, which can be done with an email or direct message to the museum’s Facebook page.

The interviewer keeps the signed forms and the Museum stores them for the duration of the publicity, removing any entries from the page if the participants notify them in the interim.

Legitimate interest

For some online posts, ‘legitimate interests’ may be the correct legal basis. If you are taking group photos of an event or an overarching photo of a busy museum to publish online, then obtaining consent will not be practical. The legitimate interests of your organisation, such as promoting its collections or encouraging donations, always needs to be balanced against the rights and freedoms of the individuals. The less privacy intrusive the photo or video, the more the balance favours the legitimate interest.

What about ‘special category’ or criminal convictions data?

We have seen that certain types of data are defined in data protection law as high risk. In many cases you will not be considering posting this information online. If, in exceptional circumstances, you need to, you will require an additional legal basis to process this data. In some cases the data may have been manifestly made public by the data subject, such as a politician with well known views and allegiances or a campaigner for prison reform who spent time in prison and commonly draws on that experience. The following, however, is most likely to apply for ‘special category data’ and criminal convictions.

Explicit consent

There is a high threshold for consent in any context, but the ICO requires ‘explicit consent’ be confirmed in a clear statement, to specify the nature of the special category data and separate from any other consents you are seeking.

Example – valid explicit consent

The Museum of Musical Instruments interviews includes a participant who refers to a health condition in their response. The interviewer explains that including the health data in the transcription of their interview on the website is different from the usual content, and double checks that the interviewee is happy, asking them to confirm this in writing on the existing form.

 

4. Keep it in scope, relevant and accurate

Are we only using the data only for its agreed purpose?

Data collected for an online post should only be used for its agreed purpose. If you are planning to re-use and re-post the data, this information must be provided to the individual at the point of collection.

If you are reusing their data to post other information online and individuals are not aware of this, you may need to contact them for the following:

  • if consent was your legal basis, re-obtain their consent,
  • if public task, legal obligation or legitimate interests was your legal basis. notify them of what you are intending to do with an updated privacy notice.

Example – purpose limitation

The National Museum of Dance wants to take and post some photos of a fundraising reception. It has provided information to its attendees that its legal basis for the photos is legitimate interests in promoting the reception. As they may wish to re-use the photos in further promotional material, they have also included this in the privacy notice to avoid having to re-contact attendees.

Is the data we are collecting relevant to the purpose?

Posting data online needs careful consideration and you need to avoid posting more than is necessary, which could impact on the privacy of the individual. If you are taking a photo of a participant or volunteer for online publication, you may wish to avoid a background with the individual’s home or other family members.

Example – data minimisation

The National Museum of Dance is working on captions for its reception photos. The photographer initially writes ‘One of our donors John with Seema (his wife) and Rachel from the collections team at the reception’ but redrafts as ‘Attendees at our reception.’

Is the data accurate?

If your organisation is posting personal information online there is an obligation to ensure it is accurate. The impact of inaccurate posts can range from simple annoyance to demonstrable damage and distress. Any inaccuracies should be rectified as soon as possible.

 

5. Take it down when you’re done

How long do I keep the information posted online?

A social media or website post of personal information does not need to be available forever for public access. You may wish to manage the amount your data on your website or periodically tidy your social media posts. Some information may have a legal retention period, such as the annual report or accounts, or may be kept permanently, such as an entry into a collection catalogue. For other data, such as promotional posts containing personal data, you should consider a reasonable period when data should be removed from your site or feed.

Example – storage limitationThe National Museum of Dance website likes to only display accounts or photos from its events for the past two years. All pages are periodically reviewed and older posts are deleted. This approach is stated in its privacy notice.

 

6. Keep it safe

How do I keep the data secure?

When managing personal information on your website or social media feed you should ensure that the data is kept secure. Websites should have robust security protections such as firewalls, penetration testing and up-to-date software. Organisational social media accounts should have robust and complex passwords to prevent hacks. Staff who are accessing personal data and posting it online should be trained in data protection and IT security principles. Further guidance from the ICO can be found at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/

 

7. Be accountable

How do I demonstrate we are compliant?

If there is a complaint or a data breach and the ICO decides to investigate you need to be able to document your legal position and decision making around personal data. Check the ICO accountability framework at https://ico.org.uk/for-organisations/accountability-framework/ for further information.

 

8. Tell people what you are doing

How do I let people know how we process their data?

Organisation are required to be transparent about how they process the personal data they collect. This is most commonly achieved by publishing a privacy notice. A privacy notice explains who the ‘data controller’ is, what data is collected and for what purpose, what the legal basis is, what data might be shared and contact details to find out more. Your organisation may find it easier to separate the notice out into categories such as staff, volunteers or individuals in online posts and publications. You can find further ICO guidance at the following link: https://ico.org.uk/for-organisations/accountability-framework/transparency/

 

9. Let people find out more

How do I ensure I respect the rights of individuals?

Individuals have a number of rights under data protection law to find out more about how their personal data is processed. These rights have particular relevance for personal information posted online and your organisation needs to be able to identify these rights requests and act on them, in most cases, within 30 days. The key rights for information posted online are:

  • Right of access (or “Subject Access Request,” “SAR” or “DSAR”)
  • Right to rectification
  • Right to erasure (or “right to be forgotten”)
  • Right to object

Example – right of erasure

The Museum of Musical Instruments is contacted by one of its queue interviewees, who wishes to retract their consent to have their interview published on the website and the data deleted. The Museum agrees to the request and removes the information within 30 days.

For further information, see the ICO’s website at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

 

10. Further information

This guidance is a summary and based on the full texts of the UK GDPR and the Data Protection Act 2018. The Information Commissioner’s Office website www.ico.org.uk contains extensive guidance on all aspects of data protection law.

 



More help here


Mobile phone displaying Mona Lisa painting

Data protection checklist

This data protection checklist by Dr Kit Good will help your heritage organisation determine whether the content you are sharing online is data protection compliant.

 
A file drawer with multicoloured paper folders packed tightly together is seen. One pink folder is in focus and pulled out slightly compared to the rest.

How can I ensure that personal data is protected when creating and sharing content online?

In this article, Laura Stanley explores how heritage organisations can remain compliant under the relevant data protection laws when sharing content on their digital channels.

 
Published: 2022


Creative Commons Licence Except where noted and excluding company and organisation logos this work is shared under a Creative Commons Attribution 4.0 (CC BY 4.0) Licence

Please attribute as: "Is the content I’m sharing online data protection compliant? (2022) by Dr Kit Good, Naomi Korn Associates supported by The Heritage Fund, licensed under CC BY 4.0




 
 


More help here



Digital Heritage Hub is managed by Arts Marketing Association (AMA) in partnership with The Heritage Digital Consortium and The University of Leeds. It has received Department for Digital, Culture, Media and Sport (DCMS) and National Lottery funding, distributed by The Heritage Fund as part of their Digital Skills for Heritage initiative. Digital Heritage Hub is free and answers small to medium sized heritage organisations most pressing and frequently asked digital questions.

Arts Marketing Association
Heritage Digital
University of Leeds logo
The Heritage Fund logo