Are you legal and ethical?

Dealing with GDPR

Since 2018, changes in the laws governing Data Protection have affected  any organisation, individual or group collecting personal data. This guidance is an attempt to answer the many questions you have about GDPR and oral history.  

business, gdpr, general


Many of the ethical and legal practices already routinely used by oral historians, and those holding and providing public access to oral history data, ensure that they are largely compliant with the new data protection regulations.  

However some changes and additional actions need to be taken, especially around the documentation of ‘informed consent’ and a need for greater vigilance around reviewing data prior to public access to oral history interviews (both onsite and online). These are summarised at the end of this document.

It is important to remind ourselves of our essential democratic mission as oral historians to document the past through first-hand personal testimonies and to enable these memories and stories to be validated, valued and heard, subject of course to the wishes of our interviewees. 

Disclaimer: This guide is intended as no more than guidance and does not constitute formal legal advice. If you need legal advice you should consult a solicitor. While every effort has been made to ensure the accuracy and currency of the information brought together here from a wide variety of sources and experience, neither the authors nor the Oral History Society can accept liability for any consequences which may result from the use of this information for any purpose. As this is a work-in-progress guide the author welcomes comments and queries.

What is General Data Protection Regulation (GDPR)?

GDPR is a regulation designed to strengthen and combine the existing data protection for all individuals within the European Union (EU). It replaces the Data Protection Directive 95/46/EC of 1995 (which the UK Data Protection Act 1998 was based on). The primary aim is to protect EU citizens from privacy and data breaches in an increasingly data-driven world. It came into effect on 25 May 2018 and will continue after the UK leaves the EU. The UK Data Protection Act 2018 embraces GDPR.

Who does GDPR apply to?

GDPR applies to any organisation, individual or group which collects personal data. This includes oral history projects, charities, community organisations, youth groups, libraries, museums, archives, educational organisations etc but also individual researchers, whether salaried, self-employed or voluntary. They are all deemed to be ‘data controllers’.

GDPR does not apply to personal data collected as part of purely private domestic, personal or family activity such as personal address books, letters and social networking.

What is personal data?

Personal data is anything that allows a living individual to be identified directly, or in combination with other information such as:

  • Name
  • Address
  • Phone number
  • Email address
  • What they look like
  • Where they live
  • What they do for a living
  • What they earn
  • What their relationship is with another person
  • What their hobbies are
  • What their opinions are
  • The opinions of others about them

As oral historians we collect much of this personal data about our interviewees, and additionally in a typical oral history interview there will be personal data about identifiable living third parties, referred to by the interviewee.

How should personal data be collected?

The organisation or individual collecting, storing and using (‘processing’) personal data needs to follow six basic principles:

  • The personal data should be processed lawfully, fairly and in a transparent manner in relation to individuals
  • The data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is considered compatible with the initial purposes
  • The data collected should be relevant and limited to what is necessary in relation to the purposes
  • The data should be accurate and, where appropriate, kept up to date
  • The data should be retained and stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. But personal data may be stored for longer periods if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
  • The data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

What are the penalties for not following these principles?

Very severe. If there is a ‘personal data breach’ (defined as ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’), the Information Commissioner’s Office (ICO) needs to be informed within 72 hours. The ICO can impose fines proportionate to the annual turnover/income of the data controller for: the breach itself (depending on its severity), not informing the ICO of a breach, and not administering the breach correctly.

What rights do individuals now have over their own personal data?

Except where an exemption applies, and upon written request, an individual generally has a right to:

  • Be informed of what information you hold about them, why you hold it, who has access to it, how it is stored, and how it is used
  • Be provided with a copy of their data free of charge, and in machine readable form (known as a ‘Subject Access Request’: SAR)
  • Request that their data be corrected or completed
  • Request that you cease using their data in certain ways
  • Request that their data be erased (but only in certain circumstances – see below)

Individuals cannot be granted access to or be given a copy of data about themselves where doing so would unreasonably disclose the personal data of another person, for example, if it is contained in someone else’s interview which remains confidential and closed to public access. 

Can they ask that their data be deleted or removed?

Yes, but the right to erasure does not apply to personal data used for ‘archiving purposes in the public interest’ or for ‘scientific, historical or statistical purposes’.  So requests to delete archived oral history interviews or recordings being processed for historical research can be declined because the so-called ‘right to be forgotten’ (‘erasure’) does not normally apply to oral history interview material. 

Do archives and similar bodies have any other special rights or exemptions?

Yes, the activity of ‘Archiving in the Public Interest’ has several rights and exemptions under GDPR. Any organisation or individual which archives personal data ‘for purposes having public value beyond the immediate interests of the organisation itself’ is ‘archiving in the public interest’. The act of processing data to secure the permanent availability of recorded memory is more important than the type of organisation doing it.

Firstly, every instance of personal data processing must be justified with a ‘legal basis for processing’. For example, you may be using the personal data with the data subject’s consent, or under a contract or other licensing arrangement with the interviewee. Some organisations (such as national libraries, museums and galleries, universities, local libraries, regional archives, and some charities or commercial organisations providing similar services to government) may lawfully process personal data under the performance of their ‘public task’: ‘a specific task in the public interest that is set out in law’. It’s important to note that you only need one legal basis for each type of processing, so if processing personal data in a certain way (such as recording and storing oral histories) is part of your public task then you do not need to rely upon consent or any other condition.

Secondly, the processing of Special Category Data (previously called ‘sensitive personal data’: see below) also needs to be justified with a legal basis, one of which is ‘Archiving in the public interest’. This means that, for example, it is allowable to collect and even publish quite sensitive personal information as part of an oral history recording without further considering a legal basis, as long as such processing would not cause ‘substantial damage or distress’ to any person (see below).

Thirdly, the wider concept of ‘Archiving in the public interest’ under GDPR allows the long-term retention of personal data long after its original purpose has expired for the purpose of maintaining the historic record.

And finally, GDPR grants several exemptions from an individual’s normal rights (see above) where these would prevent or impair the activity of ‘archiving in the public interest’. Where data processing is for the purpose of ‘archiving in the public interest’ then the processing is exempt from:

  • The right to access and confirmation of processing (for example you do not have to search your entire archive in response to a Subject Access Request for ‘everything you hold about me’)
  • The right to rectification (for example you do not have to ‘correct’ a historical record, although you may wish to add commentary in the event of disputed material)
  • The right to restrict processing or object to processing (for example you do not have to supress access to an archival recording upon request, unless the processing is causing ‘substantial damage or distress’ to one of the persons mentioned in it or related to it in some other way)

What sort of consent is required from interviewees about the storage and use of their personal data and interview recording?

It is important to recognise that the notion of ‘informed consent’ that has underpinned oral history ethical best practice (and much other research) is different from the GDPR definition of the term ‘consent’. Interviewees still need to be fully ‘informed’ about, agree to, and be able to withdraw from the process which they are participating in. This can be achieved by using a pre-interview participation agreement (see below).

Consent is only one of the legal bases available under GDPR to legitimise the processing of personal data, such as the making, storage and use of an oral history interview. You should be certain of your legal basis before beginning the interview, and the interviewee should be informed of the basis on which the recording is being made. Note that the legal basis that you choose to use determines which of the individual’s rights and which exemptions may apply to the activity.

You should also be aware that, when relying on consent for the publication or dissemination of an archive recording, you will also need the consent of every person who is identifiable from the interview, not just the interviewee, and this may be prohibitively difficult.

If you do choose to use consent as your legal basis, one of the key changes under GDPR is that consent to the use of personal data must be active (no pre-ticked boxes), clear, affirmative and distinguishable from other matters, and provided in an intelligible and easily accessible form, using clear and plain language. Consent needs to cover both the holding of personal data and its further processing (use).

OHS advice therefore (drawing on British Library policy) is that for the processing of personal data for archival purposes a data controller  should normally rely on the legal basis of ‘the performance of a task carried out in the public interest’ where legally able to do so, or on ‘legitimate interests’ where they are not.

The processing of Special Category Data (previously called ‘sensitive personal data’: see below) requires an additional legal basis. For the processing of Special Category Data for archival purposes, a Data Controller should rely on Section 4(a) of Schedule 1 of the Data Protection Act 2018 – ‘necessary for archiving purposes… in the public interest’.

One of the characteristics of consent under GDPR is that it can be withdrawn at any time. If consent is withdrawn then you cannot substitute another legal basis to continue processing that data.This is why it is advisable to use one of the other legal bases other than consent when creating material for a permanent historic archive, hence the OHS recommendation above.

Most organisations which publish personal data online (like the British Library) have a ‘Notice and Takedown Policy’ which provides for the withdrawal of online personal data. Third parties can also use such policies to request that material causing them ‘significant damage and distress’ (see below) be removed and redacted.

This means that two documents now need to be signed by interviewees:

  • An interview participation agreement completed before the interview begins which includes information about the aims and objectives of the project, what personal data will be collected, where it will be stored, how it will be used and the legal basis for its use, and how the interviewee can contact the project to access their data. If any of the data will be stored outside the EEA at any time (including, for example, future cloud storage) interviewees need to be informed about this as well. Where the organisation has a privacy and data storage policy this should be referred to in this document. The Oral History Society’s Privacy and Data Storage Policy is here. The British Library’s is here. Some oral history projects already use a separate consent form signed prior to the interview but not all. Some already use Information Sheets with which a participation agreement could be combined.
  • An interview recording agreement completed after the interview has been finished which covers copyright and access conditions. The current form routinely used by oral historians can continue largely as it is. The form is crucial as it provides interviewees with the opportunity to restrict or embargo all or part of the interview for a period of time. It also provides interviewers with the opportunity to recommend closures or redactions of parts of the interview which might be libellous or contain ‘sensitive personal data’ about third parties mentioned in the recording (see below), so as to prevent damage or distress. And it also clarifies copyright assignment.

What about children and younger people?

Where younger people are involved the age of legal competence for the use of personal data is 13 in the UK (or 12 in Scotland). OHS advice is to seek parental consent for children under the age of 16, in addition to the consent of the child where they are aged 13 or over. In the event of any conflict, the consent (or withdrawal of consent) of the child will take precedence.

What about all the consent forms which already exist for interviews in the archive?

It is not necessary to re-approach living interviewees where you have a consent form which meets the GDPR standard. The British Library has taken the view that its Copyright and Consent Forms and Recording Agreements signed prior to 25 May 2018 are sufficient as they demonstrate that the organisation informed participants in a fair and transparent manner about the ways in which their data would be collected and used for legitimate purposes in accordance with the data protection legislation that was applicable at the time that the form was signed. As a matter of course the BL always contacts interviewees before their recording goes online (even where copyright has been assigned and consent to publish is already in place). For deceased interviewees the issue becomes one of assessing third party sensitive data (which GDPR calls ‘special category data’), and ensuring copyright ownership is clear prior to publication.

What about oral history interviews which are already online?

There is no current guidance about this in GDPR. Organisations will have to weigh the risk of continuing to provide online access to recordings (which are already effectively in the public domain) versus the available resource to sensitivity check them against the revised GDPR guidelines and the negatives of removing recordings from public access. There is nothing in GDPR that requires materials to be removed from online access.

What is ‘special category data’ (previously called ‘sensitive personal data’)?

GDPR introduces new categories of sensitive personal data relating to identifiable living individuals, and regulates the use of this data where its public release is likely to cause ‘substantial damage and distress’ to those individuals.

Categories of special category data/sensitive personal dataExample
Religious/philosophicalAn interview where an individual talks about the religious views and worshipping practices of their family.
PoliticalA recording where an individual comments on the political views and party membership of a former colleague.
Sexual/sexualityAn interview where an individual talks about his sexuality and personal relationship history.
Trade union activitiesAn interview where a former business owner complains about the activities of the trade union at his business and names union members.
Corporate or industryAn interview where an employee talks about the unpublicised financial difficulties of the private company they work for.
Illegal/criminal/bad behaviour/bullying/malpracticeAn interview describes a former manager as a known bully, alleging that they were responsible for the departure of a number of employees.
Race or ethnicity relatedAn interview where an individual talks about the racial background of another individual without their knowledge.
War/violence/Northern Irish troubles/Colonial military activityAn interview where a number of named individuals are reported to have had an affiliation with the IRA.
Medical or health relatedA recording where an individual talks about the mental health of a friend, the treatment they received and the medication they took.
Scurrilous content/gossip/rumoursAn interview where an individual questions the paternity of a man based on a rumour that his mother had an extramarital affair.

What does ‘substantial damage and distress’ mean?

This is not defined by GDPR but the Information Commissioner’s Office (ICO) guideline defines it as:

  • Financial loss
  • Physical harm
  • A level of upset or emotional or mental pain that goes beyond annoyance, irritation, strong dislike, or a feeling that the data’s release is morally abhorrent

If an individual complained to the ICO that a data breach had occurred the organisation making the data publicly available would need to show what due diligence steps they had taken to assess the material for sensitive personal data before its release. Ultimately the test of what ‘substantial damage and distress’ means can only be tested in court (for example it might be part of an individual’s case that they had been libelled).

What practical steps do oral historians and those providing public access to interview data therefore need to take?

We need to be more vigilant than previously to third party references in recorded interviews. Even if an interviewee has given consent to the use of their own personal data it might still not be possible to make their interview publicly available if it contains sensitive data about other living and identifiable people which might lead to those third parties suffering ‘substantial damage and distress’.

For new and on-going oral history projects all staff need to be made aware of the kinds of sensitive data that might exist in a typical interview and be encouraged to flag up any such occurrences. The original recording need not be changed in any way if it is only being archived and not accessed. But where any of these occurrences are deemed likely to cause ‘substantial damage and distress’ then those passages need to be embargoed and muted prior to any public access. The only exception to this would be where the identified third party could be contacted to approve public access. But this could be hugely time-consuming, impractical and is not recommended (see appendix on sensitivity reviews).

This assessment of interview content is not a major departure from current oral history practice. The key change is that the bar has been lowered about what is deemed ‘sensitive data’. Project staff thus need to be properly trained to identify such data, especially about identifiable third parties, and projects need to put in place procedures for assessing interviews before they are made publicly available.

In all cases it is vital that the original recording is not edited or redacted in any way, but that playback or publicly-accessible copies are generated and then passages muted, each redaction being carefully annotated on any content summaries and transcripts.

What about digitising older oral history interviews for online public access?

This poses a significant challenge as all interviews being made available need to be sensitivity-checked to ensure that they do not contain sensitive personal data likely to cause substantial damage and distress. Very few, if any, organisations have the resources to listen to every minute of every recording which they are planning to make publicly accessible, so will need to rely on what documentation exists to make an assessment. This might include content summaries of varying detail, transcripts, correspondence, and other project documentation.

At the British Library the oral history section has been evolving a methodology for sensitivity-checking interviews (see appendices) which comprises:

  • An overview assessment of each collection/project to identify particular sensitive content intrinsic to the interviews eg recordings with prostitutes. If content is assessed to be nil or low risk (eg public lectures on uncontroversial subjects) a sampling approach might be agreed
  • Word-searching all content summaries and transcripts for a lexicon of words and root-words likely to indicate sensitive content
  • Targeted listening to those sections containing these words to assess whether any might lead to a third party suffering substantial damage and distress
  • Classifying any sensitive data in order to measure risk (from none to very high)
  • Muting and redacting those sections prior to public access

Where no textual content documentation exists the BL is experimenting with using speech-to-text software to generate a text that can be searched.

In all cases the procedure and decision-making process needs to be carefully documented to show due diligence in the event of a complaint.

It is also worth noting that taking down an offending interview from a website in the event of a complaint, for example under a ‘Notice and Takedown Policy’ (see above), is no longer sufficient on its own.

What assumptions can be made about whether third parties mentioned in recorded interviews are still alive?

In the absence of other information if an individual is likely to be over 100 years old then it is assumed they are not living.

At the British Library an assumption about the age of an individual may be made if additional information is available. For instance if someone is described as a child, the context may indicate the approximate age of the child. For example, if they are in education of some kind, assume they are at least age 5.

If age is not given but the context makes it clear that the individual is an adult, it will be assumed they are aged at least 16 unless there is additional context narrowing down the possible age range. If someone is referred to as being elderly, it may be assumed they are aged 60 unless other information in the recording leads you to question this assumption.

As always these decisions should be well documented.

Can Creative Commons licenses be used alongside GDPR?

No, not in most cases. Creative Commons (CC) licenses are used by rights holders to allow third parties to re-use material in certain ways. There are a range of licenses, now widely used on the internet, which for example allow third parties to freely re-use images for non-commercial purposes providing they acknowledge the photographer (and his/her copyright). For a time the National Lottery Heritage Fund (then HLF) was requiring that oral history projects license their recordings online using one of two CC licenses: CC-BY-NC for clips and CC-BY-NC-ND for full interviews. This has now been dropped as a requirement.

The problem is that a CC license grants a user certain rights in relation to the material, but it does NOT remove the legal necessity for the third party user to carry out their own due diligence as a data controller under GDPR; such a license grants NO legal basis or rights to use that data under GDPR, which would have to be established separately.

To offer a CC license in relation to personal data in an oral history collection would therefore:

  • Imply that the archive/collection owner remains the data controller in relation to any use the third party user might make of it (on the basis that it is the data controller that has determined the form and purpose for processing) which risks expanding the archive’s/collection owner’s liability for any (mis)use of that data.
  • Lead the third party user to believe that they have rights to use that data which under law they do not, and therefore potentially also expose them to liability.
  • Be unfair to the interviewee (data subject) as CC licensing would represent incompatible further processing, and therefore an actionable breach of GDPR/Data Protection Act 2018.

In data protection terms, the archive/collection holder’s responsibility as data controller in relation to personal data contained in their collections normally ‘ends’ at the point of publication or dissemination. Users who harvest personal data from those collections become data controllers in their own right, and must carry out their own due diligence to assure themselves that they have a legal basis under GDPR for making further use of that data. The British Library, for example makes this clear in its transparency notice at:

In order to offer personal data such as contained within an oral history interview for use under a Creative Commons license the only legal basis which would suffice is the consent of the data subject, which can be withdrawn at any time and is therefore not recommended.

I’m working on an international oral history project involving partners in different countries. How can we all store and share personal data across legal boundaries and be compliant with GDPR?

The EU have developed a list of countries outside the EU which they regard as having ‘Data Protection Adequacy’. This list is available at

GDPR offers a variety of different ways in which personal data can be shared amongst partners on a national and international scale. In all cases a contract will be needed, referred to as a ‘Data Sharing Agreement’. The form that this takes will depend on the following factors:

  1. If all the parties involved are public bodies this can be recognised as a binding instrument between public bodies which can be drafted by either side.
  2. If a partner is located in an approved ‘adequate country’ then the ‘Data Sharing Agreement’ can be drafted by either party.
  3. If the partner is located in the USA and is signed up to ‘Privacy Shield’ then the ‘Data Sharing Agreement’ can be drafted by either party.
  4. For partners in any other country, or not meeting one of the above conditions, the relevant EU Model Clauses will need to be used. The right one will depend on the relationship between the partners. If they are equals in terms of decision-making ability in respect of the personal data then the ‘Controller to Controller’ set of clauses is appropriate. If the partner is following only pre-determined instructions then the ‘Controller to Processor’ clauses are suitable. It is important to note these EU Model Clauses cannot be amended or reduced in any way in order to be considered valid, however, parties may add additional clauses to them.

In the event of a no-deal Brexit this will change subtly as the UK will be considered a ‘third country’ for the purposes of data protection. The UK Government have confirmed that adequate countries and US Privacy Shield provisions will remain unchanged. In addition, the UK will consider the transfer of data into the EU as acceptable by means of adequacy. The binding instrument between public bodies will also remain unchanged. EU Model Clauses for ‘Controller to Controller’ will still be acceptable, although it is expected the UK will produce similar Model Clauses for use where the other country is not within the EU. The ‘Controller to Processor’ clauses, however, will only be suitable where the controller is located within the EU. It is not yet determined how an EU processor can lawfully share data back to a UK controller in this scenario.

For UK-based researchers collecting recordings overseas in non-EU legal domains some caution is required as some countries such as China and Vietnam are arguing that data collected in their countries needs to stay in their countries. It might be that UK researchers will need to put in place a means of ‘data mirroring’ – ensuring a full copy of their fieldwork data is deposited in the host country which is governed by local data protection legislation.

What do individual researchers collecting interviews, for example PhD students, have to do to comply with GDPR? What do they need to do during and after their fieldwork? What exemptions can they use?

During their active period of research, individual researchers should be using the legal basis of ‘legitimate interests’ (and ‘scientific/historical research’ for special category data). They will be able to avail themselves of the exemptions for ‘scientific and historical research purposes’ (GDPR Article 89(2)), which are functionally identical to those for ‘Archiving in the public interest’ (GDPR Article 89(3)). They still need adequate safeguards (such as signoff by an ethics committee) to prevent distress and damage caused by their research, but are exempt from most of the other GDPR rights. They also need to use a pre-interview Participation Agreement, indicating in this and in any other project information how/where they intend to archive/preserve their data.

The ‘Archiving in the Public Interest’ exemptions then kick in when the data is stored at the end of the research by either themselves or their institution, or transferred to another archive, as long as there is the intent that it be preserved for accessibility to future researchers.

Is an oral agreement to participate sufficient for those who are not able to read and/or sign a document?

Yes – all of the usual rules around reasonable adjustments for disability apply, so alternative methods of indicating and recording ethical agreement for those unable to write are encouraged. One way of doing this is to record the wording from the form orally, together with the individual’s oral agreement to that, as part of the audio interview. This weds their legal and ethical participation to the output of the activity.

Summary of key steps for compliance with GDPR

  1. Staff training: ensure oral history project staff are made aware of GDPR and especially in identifying sensitive data in interviews for assessment prior to public access.
  2. Interview participation agreement: use a pre-interview form to explain to interviewees what the purpose of your project is, including how their data will be used (subject to their further agreement via the Interview Recording Agreement completed at the conclusion of the interview), and that you will be processing their data under the ‘archiving in the public interest’ exemption of GDPR.
  3. Retrospective digitisation of oral history interviews for public access: introduce procedures for sensitivity-checking recordings to ensure that no sensitive data likely to cause ‘substantial damage and distress’ is made publicly accessible.
  4. Document all procedures and decision-making: create systems to document consent procedures and access assessment.
  5. Ensure that all partner organisations also comply with GDPR: archives and repositories agreeing to a accept oral history collections need to ensure that depositing organisations/projects have complied with GDPR. Projects need to ensure that receiving repositories do likewise. Each needs to ensure that personal data is handled securely with appropriate pass-worded access to databases and other best-practice procedures laid out in GDPR. 

Further reading and useful guidance

Information Commissioner’s Office [ICO], Guide to the General Data Protection Regulation (GDPR) is at [accessed August 2019]. This is much more accessible than the GDPR legislation itself at

International law firm Bird & Bird have produced a range of excellent materials on GDPR, including a comprehensive (and free) guide to the new regulation:–bird–guide-to-the-general-data-protection-regulation.pdf?la=enThey have also divided the guide into separate sections, which you can selectively download here:

Archives and Records Association [ARA], Processing for archiving purposes in the public interest in accordance with the General Data Protection Regulation and the Data Protection Act: Criteria, May 2018.

The National Archives’ online resource ‘Archives and GDPR: frequently asked questions’ is at and has links to other resources on Data Protection more generally.


  1. Example of GDPR-compliant Interview Participation Agreement
  2. Example of GDPR-compliant Interview Recording Agreement
  3. Leaflet about copyright and deposit of oral history interviews at the British Library
  4. How to review oral history collections for sensitivity v2: British Library methodology (with appendices)
  5. Justifying oral history sound recordings under GDPR: a worked example

Authored by Rob Perks, Oral History, British Library, version 5.0 August 2019, e: rob.perks[@]

With thanks to: Jon Fryer, James Courthold and Amanda House (BL Data Protection), Mary Stewart, David Govier and Charlie Morgan (BL Oral History team), members of the Oral History Society Regional Network, and attendees of the ‘Introduction to the New Data Protection Legislation (GDPR) for Oral Historians’ workshops at the British Library.

Scroll to Top