Brasenose College Legitimate Interest Assessment – Archives (v1.3)

Last Review Date: June 2023
Next Review Date: June 2025

Although it is not compulsory for an organisation to have a written record of an LIA, the ICO does state that this process does help demonstrate compliance in line with the College’s accountability obligations under the articles of the UK GDPR.

To conduct an LIA, ICO guidance requires that the College consider three tests (set out below with their sub-questions) in relation to any given processing activity:

Purpose test: Is the College pursuing a legitimate interest?

(i) Why does the College want to process the data – what is it trying to achieve?
The College has a legitimate interest in preserving a record of its history and evidence of its functions and responsibilities. It has a legitimate interest to ensure that its archives are kept securely and are available as a resource for researchers and others with a legitimate interest in using the archives.

(ii) Who benefits from the processing? In what way?
The processing of data supports the current business and legal operations of College and supports the College’s teaching and research programmes. The processing of data ensures that information is available as a resource for researchers and future generations.

(iii) Are there any wider public benefits to the processing?
The archives are a resource for anyone who should wish to use them. Processing is necessary to preserve our heritage for future generations, to maintain the integrity of the archives, and to ensure their availability to users.

(iv) How important are those benefits?
Processing is necessary to preserve the history of an organisation which is part of a long-established University with a strong identity and history.

(v) What would the impact be if the College could not go ahead?
The College could lose vital legal and business evidence, as well as its heritage and identity. The integrity and security of the archives would be put at risk. Researchers might not be allowed to access the archives.

(vi) Would the College’s use of the data be unethical or unlawful in any way?
No.

Necessity test: Is the processing necessary for that purpose?

(i) Does the processing proposed help to further the legitimate interest?
Yes.

(ii) Is there another, less intrusive, way to achieve the same result?
No.

(iii) Is it a reasonable way to go about it?
Yes.

Balancing test: Do the individual’s interests override the legitimate interest?

(i) What is the nature of the College’s relationship with the individual?

  • Current and former students
  • Current and former staff and officers of Brasenose College
  • Individuals who have donated items to our archives
  • Researchers who access our archives
  • Other third parties referred to in records held in the archive

(ii) Is any of the data particularly sensitive or private?
(This is not limited to special category or criminal data, but extends also to data such as financial data.)
Some of the data in the archives may be sensitive or private. We do not collect sensitive or private information about external researchers, except for disability information provided to us solely for accessibility purposes, which will be retained for 12 months after an appointment then destroyed. Financial data will be collected if payments are made for research or copies of archive materials; this is kept for seven years from the end of the financial year in which the transaction occurred and then destroyed.

(iii) Would people expect the College to use their data in this way?
The College believes so.

(iv) Are you happy to explain it to them?
Yes.

(v) Are some people likely to object or find it intrusive?
The College does not believe so but has a framework in place should anyone choose to object.

(vi) What is the possible impact on the individual?
Minimal.

(vii) How big an impact might it have on them?
It should not have a substantial impact, as archives are not consulted by researchers without appropriate access controls in place. We do not process personal data in a way that would cause substantial damage or distress to a data subject. We will only share data with third parties if we are allowed or required to do so by law.

(viii) Is the College processing children’s data?
No.

(ix) Are any of the individuals vulnerable in any other way?
The College does not believe so.

(x) Can/Does the College adopt any safeguards to minimise the impact?
Yes. These include: restricting access, redaction, anonymisation, encryption, and password protection.

(xi) Does the College offer an opt-out to data subjects?
Yes – anyone wishing to discuss doing so should contact:

The Data Protection Office
Brasenose College
Radcliffe Square
Oxford
OX1 4AJ
data.protection@bnc.ox.ac.uk

Version Control – v1.3 (June 2023)

Last Review Date: June 2023
Next Review Date: June 2025