Introduction

Information professionals process personal data as part of their daily work. Examples include the maintenance of user registration and circulation records or management statistics on usage of the information service. In addition to the need to comply with data protection law, CILIP members also need to abide by CILIP's Ethical Framework (2018, see Appendix 2 for the full text of the framework). The framework states that ‘as an ethical information professional I make a commitment to uphold, promote and defend … the confidentiality of information provided by clients or users and the right of all individuals to privacy’ (A6).

There is also a set of accompanying notes, Ethical Framework: clarifying notes (CILIP, 2018), which says that: ‘Privacy underpins human dignity and other key values such as freedom of association and freedom of speech … The right to privacy can only be limited by law when it is necessary to do so in a democratic society for reasons such as national security, public safety, the prevention of crime or protection of the rights and freedoms of others. Any limitation on this right must be proportionate’ and that confidentiality is ‘The state of keeping or being kept secret or private’.

The clarifying notes ask the question: ‘What does this mean for professional practice?’ and go on to answer that question by saying:

General principles

The Data Protection Act 2018 (DPA) provides a comprehensive legal framework for data protection in the UK, in accordance with the General Data Protection Regulation (EU Regulation 2016/679). As DPA section 2(1) says ‘The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data’. The DPA (and the GDPR) came into force on 25 May 2018 and sets out how personal data should be handled. As far as the DPA is concerned, personal data means data that relates to an identified or identifiable living individual.