In one of those coincidences where the same subject crops up repeatedly in various guises, we held our “Museums and the Law” conference last Friday which looked at trustees’ responsibilities across different aspects of running a museum, including in managing information. Yesterday AIM also published this blog post on trustees’ responsibilities for data protection following the creation of a new Fundraising Regulator and the new General Data Protection Regulation which will come into force in 2018 – https://aimuseums.wordpress.com/2017/03/13/data-protection-and-charities-the-new-general-data-protection-regulation-be-prepared/.
And as a timely reminder that it applies to all museums, big and small, we then came across this penalty notice, served by the Information Commission on a local history society for breaching data protection laws – https://ico.org.uk/media/action-weve-taken/mpns/1625357/mpn-historical-society-20161107.pdf. The society’s unencrypted laptop, containing personal data from an accession register, was stolen and is still unrecovered. In the Information Commissioner’s opinion this constituted a breach of the Data Protection Act by failing to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss of personal data. The history society was issued with a fine.
There is a wealth of information available online so that museums and governing bodies can ensure that they are compliant in discharging their responsibilities as trustees. Starting points for information include:
Advice on museums and the Data Protection Act, Collections Trust, http://collectionstrust.org.uk/collections-management/collections-information/protecting-maintaining-and-improving-information/
Data Protection Act, https://www.gov.uk/data-protection
NCVO Knowhow Nonprofit, https://knowhownonprofit.org/people/employment-law-and-hr/policies-and-templates/dataprotection