Report from the IRMS Midlands Group Meeting on 14 July 2017 in Birmingham
By Sarah Rudge, Manager Information Assurance, Ofqual, and Amy Cawood, Senior Officer Information Assurance, Ofqual
It is great to see the Midlands Branch fully up and running again after a bit of a quiet time – thanks to Jaana Pinnick and Jane Proffitt for taking the lead. This was an excellent event of 2 halves – focusing on the looming General Data Protection Regulation (GDPR) and then digital preservation and continuity. And as always, it was a great opportunity for members to get together and network over a hearty lunch, kindly made possible through the day’s sponsor Automated Intelligence.
Melody Allsebrook: Getting to grips with the General Data Protection Regulation (GDPR)
Melody Allsebrook took us through the morning focussing on all things GDPR and getting ready for the 25 May 2018. Melody’s sessions were supported with a demonstration of Automated Intelligence’s AI.DATALIFT tool that can help comply with the GDPR. As she said at the beginning, this is the biggest change to data protection law in nearly 20 years so there is a lot for us all to do.
Melody took us all through the key changes to the legislation and what we all need to be thinking about as information and records management practitioners. She talked about the new definition of personal data and the new Principles for processing personal data – what has changed and what is more or less the same as under the current Data Protection Act 1998 (DPA). We also learned about the role of the Data Protection Officer (DPO) and the circumstances in which having a DPO is mandatory.
Relying on Consent of the data subject led to some interesting discussion, and I think most of us in the room were trying to bottom out in our heads what our lawful basis for processing might be and the circumstances where it might be different. Melody made it quite clear – we need to be clear about this!
Then following on from the lawful basis for processing is how we communicate that to the data subject and the importance of providing clear and accessible information to people about how we will use their personal data. We need to make sure that we have privacy notices (fair processing notices or whatever you want to call them) in place that are concise, transparent, accessible and clear. Plenty of work for many of us on that front, I’m sure!
We talked about contracts and working with third parties too – the GDPR means there will be changes to our existing and future contracts with suppliers. Data processors are now subject to all of the provisions in the regulation and joint data controller relationships are formalised. What it means in practice is that our contracts with existing suppliers need to be reviewed and revised to ensure they are GDPR compliant, and new contracts will need to make sure they have the right clauses to be compliant too.
We talked about the new fining regime too… It is not just about data loss and incidents anymore; it is about breaches of the regulation too.
A key theme from Melody’s sessions was about the new Accountability principle – being able to prove we are complying with the GDPR and have the evidence in place and ready, should the supervisory authority – the Information Commissioner’s Office (ICO) – come calling. We need to be able to prove that we are doing the right thing and to be able to demonstrate compliance. So it is vital that we get a good handle on what personal data we have, why we have it, how and why it is processed, and how it is protected. A lot of effort and time needs to be invested first in this and then developing and writing the policies, principles and tools that govern the processing.
So now is the right time to be looking at our current data protection policies and procedures, our information asset register, our retention schedules, privacy notices and breach reporting. And then there are the Data Protection Impact Assessments (DPIAs), which are not only a really helpful tool to help us identify what new or additional controls we might need to put in place, but also another part of the puzzle – another piece of evidence to demonstrate compliance with the GDPR.
So this was a really interesting session, the only downside being that I now have an even longer ‘to do’ list! Had better get cracking…the 25 May 2018 doesn’t seem that far away!
Sharon McMeekin: Introduction to Digital Preservation
Another hot topic for records and information managers is that of digital presentation, so the group was pleased to welcome Sharon McMeekin from the Digital Preservation Coalition (DPC), who gave a stimulating introduction to all things digital.
Sharon began by outlining the key differences in approach required for the preservation of traditional records and digital objects. Traditional records are fairly robust and can stand long periods of benign neglect and remain accessible and readable to us. Digital material, on the other hand is far less forgiving: it is ephemeral in nature, prone to obsolescence, and requires both software and hardware in order for us to make sense of it. Preserving digital records is both complex and immensely rewarding, but it is also vital if we are to function as a society and to document our cultural heritage.
Sharon introduced three of the most common models for digital preservation: the three-legged stool, DCC life-cycle model and the Open Archive Information System (OAIS). These can be used to provide a framework or visualisation for the implementation of a functional programme for digital preservation. Although complex, the OAIS model provides much of the basic technical language used to describe the processes surrounding the preservation of digital objects.
The second part of Sharon’s presentation looked at the first steps to take as part of a preservation project. This included deciding which preservation approach to take: bit-level, migration, emulation, hardware preservation, virtualisation etc., and the risks associated with doing nothing. Digital objects can suffer from media obsolescence, media failure (unsightly bit-rot), disaster (fire, flood, even cosmic rays!) and we might not even be aware of these even taking place until it is too late.
So what can we do? Sharon suggested that we keep more than one copy, preferably in different locations; refresh storage media (regularly); integrity check the data (also called “Fixity”), this involves the use of checksums and integrity checking tools. Above all, take time to make sure we understand what we have in our collections, assess the risks, plan and then take action to preserve. Create a digital asset register; find out the quantity and size of the files and the range of different formats; does it contain personal data or is it a dynamic or multimedia file? Finally, look at the range of storage options, from hard disc and magnetic tape to the Cloud.
Sharon finished by recommending a range of resources to help and the services of the DPC.
Jaana Pinnick: Planning Digital Preservation for Geological Time Scale
As if that was not enough to think about, Jaana Pinnick concluded the afternoon with a case study on planning digital preservation for geological time scale – no mean feat! The National Geoscience Data Centre (NGDC) is an approved place of deposit for physical records, but not for digital records, however, there is an imperative to ensure digital records are retained in perpetuity. Jaana described the scale of the project she and her team have embarked on to map the digital records they hold and to fulfil the NGDC’s ambition to maintain the long-term reusability and accessibility of born-digital and digitised geoscience data objects. Geoscience data comprises a wide range of data types and formats and is used by many different stakeholders for a staggering variety of purposes, from building and surveying to mining and insurance. There are issues with the scale and resolution of the datasets and the variety of data structures and granularity at which the data are processed; on top of this are the complexities of file formats, proprietary data and data that is constantly changing.
Jaana talked about her MSc case study “Exploring digital preservation requirements: a case study from the National Geoscience Data Centre”. The key concern for geoscience data is not just its long validity (geoscience data can go back millennia), but also its uniqueness. Loss of this irreplaceable data could be catastrophic. But where to start? Jaana’s study has already identified the key challenges to overcome: legacy data, changing semantics and scientific vocabularies over the years, simply identifying what is worth keeping from the vast quantities of “big data”. In addition, there are the problems and vagaries of funding and shortage of skills in the area of digital preservation.
Jaana’s recommendations include defining and agreeing digital preservation objectives and continuity requirements, raising awareness and collaboration with best practice providers in digital preservation (DPC amongst others). The next steps for the NGDC are to develop a business case and create a digital asset register as well as to carry out a capability and maturity assessment and to embed digital preservation into the daily routines of the archive. This will build on the NGDC’s submission for the Data Seal of Approval Trusted Repository Core Certification, the writing of which has already provided the archive with an internal self-assessment and will help to benchmark it against other repositories and to determine the strengths and weaknesses of the NGDC repository.
Jaana has made a brilliant start to the digital preservation programme at NGDC and appears undaunted by, what seems to me at least, a gargantuan amount of work ahead. Congratulations to her on the successful completion of her MSc and we look forward very much to hearing about the next phases of the NGDC digital preservation programme.
NB: The presentations are available on the Midlands Group page under the Pages tab.