Ensuring ethical best practice in data storage and management
1. What are ‘ethical considerations’?
Ethical considerations are an attempt to ensure that information about an individual is processed lawfully, fairly and in a transparent manner. This is an increasingly common concern as any area of cultural heritage may include personal, confidential and sensitive data which provides valuable historiographical or contextual information for understanding the past. Your organisation or project may also generate this content through correspondence with your online audience or site visitors.
The UK government guidance for public sector organisations on how to use data appropriately and responsibly, the Data Ethics Framework, sets out some key principles. They are good practice for any public organisation:
- Transparency: your actions, processes and data should be open to easy inspection.
- Accountability: there should be effective governance and oversight mechanisms in place.
- Fairness: your organisation’s actions and use of data should not have unintended discriminatory effects on individuals and social groups.
If you or your organisation has responsibility for managing any kind of personal data, whether it is associated with collections, photographic archives or from customer or visitor interactions, this also falls within the scope of the General Data Protection Regulation (GDPR) directive and the UK Data Protection Act 2018. It is important to note that data protection law does not forbid the storage of personal data but defines the safeguards to support it.
In its simplest form, this covers the information you hold about identifiable living persons (such as phone numbers and email addresses), sensitive information about a person (such as health data), but also more general sensitivities such as personal correspondence or financial transactions. It also covers the data you may generate in the field or through research. For example, pictures or videos of living persons (especially children), oral history or interviews all fall under the umbrella of sensitive or confidential data.
Most data can be stored and shared ethically and legally by employing common sense and transparent strategies that safeguard the individual. This may include redaction or anonymisation of content, or efforts to secure written and informed consent.
In this guide, our expert, Tim Evans of the Archaeology Data Service, will take you through the steps to building a knowledge base and workflows that will help you achieve best practice.
2. Establishing your requirements and responsibilities
Finding advice
First, find out if your organisation already has policies and guidance for data protection and ethics. If you have an HR department, they can advise on responsibilities and may offer starter information and an induction programme.
If a policy does not yet exist, or you want to improve your knowledge, there are many resources which can help. For example:
- This video from the Information Commissioner’s Office (ICO) provides a useful introduction. Watch ‘Data protection explained in three minutes’.
- The National Archives has an overview of UK GDPR requirements for archives, including links to the ICO Guide to GDPR, and ICO guidelines for various types of organisations such as local government and charities.
Understanding how this applies to your data
Once you have familiarised yourself with any existing policy and legislation, think about how this applies to your data. For a number of organisations this takes two forms. The first is the data you hold or process for the running of your organisation and services, such as the emails and phone numbers of data depositors, or lists for membership groups or publicity. The second is data you may be given or generate as part of your project or mission, such as the results of surveys or photographs of people or events.
Start by listing the types and content of data you hold or will hold in the future. In some cases, this will just be everyday business data such as emails of contacts and partners. In more complex cases, where you are generating or collecting digital content (such as photographs), you will need to start planning and thinking about the content itself.
First, assess if it is likely you will gather ‘special category personal data’, often referred to as sensitive personal data (such as a person’s ethnic origin, politics, beliefs, trade union membership, physical or mental health or genetic data). Such data may be a legitimate part of your research, but you must take steps to ensure it remains anonymous and cannot be traced back to a specific individual and that this individual is aware of the information they are providing and the safeguards you have in place.
Also consider if the data you’re collecting requires informed consent from the person recorded or depicted. For example, if you’re recording interviews or taking photos/videos of living people, especially children, you need consent from these individuals or their parents/guardians.
Sensitive data
It’s also wise to consider whether the information itself may be considered sensitive, offensive, or embarrassing to the author or subject. These require what are defined in the legislation as ‘safeguards’ which minimise any adverse impact (‘substantial damage or distress’) on living individuals. Although the legislation does not define this term further, it is commonly taken to cover financial loss or physical harm, or a level of emotional or mental pain that goes beyond annoyance or irritation.
Examples of sensitive data
- Interviews or oral history where libellous, derogatory, or inappropriate remarks are made about a person or group. Would the interviewee or the subject take offence at having this in the public domain?
- Financial data, especially where costs can be attributed to an individual or company. It is not uncommon for reports or diaries to contain the budget of a project and/or staff wages.
- Records of staff such as performance reviews, records of interviews and job applications and other personnel data.
- Personal correspondence, including emails or scans of letters.
- Project diaries where individuals may be identified and described in an unflattering manner.
- Skeletal or other burial data which can be linked to named individuals. This is increasingly common with the excavation of relatively modern (i.e. Victorian) burial sites due to infrastructure development. In these cases, bodies may still be in early stages of decomposition with grave markers clearly identifiable as the relative of a living person. Sensitivity around this type of data should be considered at all times.
- Material that would cause distress or embarrassment to a living individual. For example, ‘informal’ photographs or videos of individuals that do not provide any useful context or information (e.g. members of a project team sunbathing in swimwear, or social activities involving alcohol).
Finally, in the UK there is a ‘duty of confidentiality’ based in common law. Confidential data are data that are:
- given in confidence or have been agreed to be kept confidential between two parties (this need not be in writing)
- conditioned by factors such as ethical guidelines, legal requirements, or research-specific consent agreements, and
- not already in the public domain.
3. Case study: Archaeology Data Service – guidelines and workflows
The Archaeology Data Service (ADS) is an accredited digital repository (CoreTrustSeal) for archaeology and heritage data in the UK. Since 1996, the ADS has archived the outputs of research and commercial research, to hold in perpetuity and make accessible for public re-use and research.
The first ADS policy for dealing with sensitive data was developed in 2010 and was largely based on the report ‘Managing and sharing data: a best practice guide for researchers’ written by the UK Data Archive, University of Essex in 2009. Since then, there have been several significant developments which have affected policy and procedure:
- The UK Data Protection Act 2018 which refreshed the language of previous data legislation.
- The ADS taking on more staff, meaning more people that needed to understand ethical requirements.
- The ADS taking increased levels of data, and types of data, from all parts of the heritage landscape, resulting in more data to appraise.
Although the ADS is perhaps a single example, the steps taken, and processes implemented are relevant to medium or small organisations looking at the issue of ethics in their own workflows. Below we’ve outlined a number of practical steps based on experiences and case studies at the ADS.
Step 1: Ensure the responsibility for ethics is defined within your organisation
Many larger organisations may employ a Data Protection Officer (DPO) or have broader responsibilities covered by HR departments. At the ADS, although we benefit from the skills and knowledge of a university, the application of ethical considerations with “our data” is overseen by a single member of the management team. This has involved time for staff to attend training seminars/events and to read documentation online. Having a defined responsibility for ethics, even within a small organisation, means that it does not fall down the list of organisational priorities.
Step 2: Understand your data
Following the general advice in Section 2 above in this resource – ‘Establishing your requirements and responsibilities’ – creates a list of known risks or case studies that you and your team have spotted or expect to deal with.
Step 3: Create a basic policy
It is imperative that your leadership team starts developing and defining what your policy is for dealing with ethical considerations. Having a basic policy in place and knowing who is responsible for maintaining this and dealing with questions from the team is incredibly useful for catching most issues. It also integrates ethics into your organisational ethos.
The policy need not be complex – in the case of the ADS it simply defines what our ethical considerations are, and how we deal with them in practical terms. Regardless of whether you are accepting data, or creating it yourself, having a written policy removes any ambiguity for staff and external users/data providers. For example, at the ADS we insist that personal, confidential, and sensitive data is fully anonymised and is accompanied with written informed consent. If a breach or issue is detected and unresolved, then we will not take or hold the data.
Step 4: Plan for ethics
At the ADS, we are normally given data by a third party. Wherever possible, we encourage people to plan for all aspects of data management including ethics before they generate the actual data. For requirements such as informed consent, this includes tasks such as generating informed consent pro-forma/templates before the event. The ICO website has detailed guidance on what this should contain, including specific guidance on dealing with children and UK GDPR.
Step 5: Create a simple workflow for your team
We have developed simple checklists that cover the major ethical issues around the data we hold. These are implemented in appraisal and review stages, with a member of staff checking data for any material that contravenes existing policy, for example a picture of a child without written consent. It is important that the checklist is as simple as possible, does not need to link out to jargon or legislation, and can be used by new and old staff alike.
Step 6: Ensure time for review and training
The policy and workflows regarding ethics is not static. As the nature of digital data (and legislation) evolves it is important to build time for review of recent developments, and for these to be factored into updates of policy. Reviews are often undertaken once a year unless a pressing development requires immediate attention. Make sure there is enough time for the staff responsible for ethics to review these steps.
4. Training and awareness
Not all staff need to be expert in GDPR legislation, and it should be noted that requirements for compliance via lengthy and complex recordkeeping issued online is only relevant to organisations with more than 250 employees. That said, organisations of all sizes still need to comply.
A positive step is for the person with responsibility for this area is to review the ICO page on training and awareness, focusing on how to incorporate training and awareness into your organisation. Depending on the size of your organisation, a good starting point is to:
- discuss needs
- outline a basic training programme and
- set a timetable for review.
Please attribute as: "Ensuring ethical best practice in data storage and management (2022) by Tim Evans supported by The National Lottery Heritage Fund, licensed under CC BY 4.0