Data Privacy Statement

Who we are

“Data controllers” are the people or organisations that determine the purposes for which, and the manner in which, any Personal Data is processed, and make independent decisions in relation to the Personal Data and/or who/which otherwise control that Personal Data.

For the purposes of the General Data Protection Regulation (GDPR), the National Library of Ireland (NLI) is the data controller with regard to the Personal Data described in this Privacy Statement. The mission of the NLI is to collect, protect and make available the recorded memory of Ireland, caring for more than twelve million items including books, manuscripts, newspapers, photographs, prints, maps, drawings, ephemera, music and digital media.

The NLI has outsourced the function of the Data Protection Officer to XpertDPO Ltd.

Our Data Protection Officer can be contacted as follows:
Email: dataprotection@nli.ie
Post: 4 Kildare Street, Dublin 2, D02 A322

Purpose and scope of this Privacy Statement

The purpose of this Privacy Statement is to provide you, as our data subject, with a statement regarding the Data Protection and Privacy practices and obligations of the NLI and an explanation of your rights as a data subject.

This Privacy Statement applies to our organisational practices and our website, which is accessible from www.nli.ie.

As the Organisation is established in the Republic of Ireland, this document is written in the vein of Irish Data Protection Law, and the NLI falls under the jurisdiction of the Irish Data Protection Commission. This Privacy Statement sets out what Personal Data we collect and process about you in connection with the services and functions of the Organisation. We are not responsible for the content or the privacy notices for any websites to which we may provide external links.

Laws that apply to us

General Data Protection Regulation (EU Regulation 679/2016)
Irish Data Protection Acts 1988 to 2018
Regulations flowing from Data Protection Act 2018
ePrivacy Regulations 2011 implementing EU Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD)
National Archives Act 1986, Regulations 1988

Why and how do we ensure compliance?

Data protection and privacy laws provide rights to individuals with regard to the use of their Personal Data by organisations, including our organisation. Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of Personal Data.

We must comply with data protection and privacy laws because the law requires us to but we also would like you to have confidence in dealing with us, and compliance with data protection law helps us to maintain a positive reputation in relation to how we handle Personal Data.

We are required to demonstrate accountability for our data protection obligations. This means that we must be able to show how we comply with the applicable data protection and privacy laws, and that we have in fact complied with the laws.

We do this, among other ways, by our written policies and procedures, by building data protection and privacy compliance into our systems and business rules, by internally monitoring our data protection and privacy compliance and keeping it under review, and by acting if our representatives, including employees or contractors, fail to follow the rules.

We also have certain obligations in relation to keeping records about our data processing.

Who must comply?

All our representatives, which include employees and contractors, are required to comply with our Data Protection Policies and Procedures which inform this Privacy Statement when they process Personal Data on our behalf.

What are the data protection principles and rules?

We aim to comply with the following principles found in Data Protection Law:

Lawfulness, fairness and transparency – Personal data must be processed lawfully, fairly and in a transparent manner.
Purpose Limitation – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisation – Personal Data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
Accuracy – Personal data must be accurate and, where necessary, kept up to date. Inaccurate Personal Data should be corrected or deleted.
Retention – Personal data should be kept in an identifiable format for no longer than is necessary.
Integrity and confidentiality – Personal data should be kept secure.
Accountability – Under the GDPR, we must not only comply with the above six general principles, but we must be able to demonstrate that we comply by documenting and keeping records of all decisions.

What types of personal data will we process?

Personal Data

Personal information which you volunteer to the NLI through the use of web forms e.g., Reader Pre-Registration Form or email will be treated with the highest standards of security and confidentiality, strictly in accordance with the Data Protection Acts, 1988 to 2018 and the GDPR.

The Types of Data we Collect

Process	Purpose	Lawful Basis	Type of Data
Accessions	Provenance information for collection management	Contract Public Interest	Name, Email Address, Address, Telephone Number, Financial Information
Accident Reports/Records	To record and compile reports in case of an accident / injury on NLI premises	Legal Obligation	Name, Telephone Number, Image/s, Medical Information
Acquisitions	To communicate with vendors and donors around acquisitions	Contract Public Interest	Name, Email Address, Address, Telephone Number, Financial Information, Employment Information
Administration	To perform general administrative tasks within the NLI	Public Interest Legal Obligation	Meetings of Minutes, Diary Management and Agendas, Complaints
Archivist on Duty Reference Service	To provide archivist on duty reference services	Contract	Name, Email Address, Address, Telephone Number, NLI Reader's Ticket Number
Back Ups	To store personal data and make back-ups of that data in case of emergencies and for disaster recovery purposes	Legal Obligation	NLI data is securely backed up on a regular basis
Board and Committee Details and Reports	To inform public of any appointments, meetings and outcomes and to comply with relevant legislation	Contract Legal Obligation	Name, Employment Information, Short Biography that may contain personal data
CCTV	For safety and security purposes for NLI sites and to assist with the prevention and detection of crime or unlawful activities.	Public Interest	CCTV Recordings and Still Images (where applicable)
Donations / Deeds of Gift	To receive collection donations / deeds of gift for the NLI collection	Contract	Name, Email Address, Address, Telephone Number, Financial Information, Employment Information, Details about how material was acquired that may contain personal data
Communication Management - Email and Post	To manage and respond to emails that come into NLI Email Inboxes, to receive and send post	Contract	Name, Email Address, Address, Telephone Number, Financial Information, Employment Information, Mixed data / contents that may contain personal data
Event Invoices	To allow transfer of payment to guest speakers and event facilitators	Contract	Name, Email Address, Address, Telephone Number, Financial Information, Employment Information
Exhibition Information	To display exhibition information to visitors and members of the public	Public Interest	Name, Image/s
Exhibition Images / Posters	To advertise and promote NLI exhibitions	Public Interest	Images and text from NLI catalogue of natural (living) persons
Export Licences	To fulfil requests from various bodies for export licences and to enable transport of material outside the country within the EU	Contract	Name, Email Address, Address, Phone Number, Employment Information
Group Visits	To manage, book and contact groups for Onsite Group Visits	Contract Consent	Name, Email Address, Telephone Number, Name of Group, Accessibility Requirements
Heraldry and Genealogy	To process requests for applications for a grant of arms, genealogy and heraldry requests, and to reply to research and other queries	Contract Consent (Special Category Data)	Name, Email Address, Address, Telephone Number, Financial Information, Copy of Birth Certificate / Passport
Librarian on Duty	To deliver Librarian on Duty Services and respond to queries about the NLI collection	Consent Contract	Name, Email Address, Address, queries that may contain mixed personal data
Loan Applications	To fulfil requests from other cultural bodies for the loan of NLI collection material	Contract	Name, Email Address, Address, Phone Number, Employment Information, Signature
Mailing Lists	To send relevant communications out to individuals who are registered subscribers to NLI Mailing Lists	Consent	Name, Email Address
NLI Courses	To register and communicate with participants for NLI courses / learning events	Contract	Name, Email Address, Telephone Number, Online Meeting Identifiers, Employment Information
NLI Online Events	To allow individuals to register and participate in NLI online events	Contract	Name, Email Address, Address (optional)
Online Collection Orders	To process and fulfil requests from readers to allow them to order items from the collection	Contract	Name, Email Address, Telephone Number, NLI Reader's Ticket Number
Parish Registers	To respond and assist with queries about Parish registers	Consent Contract	Name, Email Address, Address, queries that may contain mixed personal data
Payments	To make and receive payments in the course of normal NLI business	Contract Legal Obligation	Name, Email Address, Financial information (e.g., bank name, address, IBAN, invoice payments)
Permissions Applications	To fulfil requests from individuals / members of the public to publish/reproduce material from the collection	Contract	Name, Email Address, Address, Phone Number
Photography / Video	Taking photographs and video at NLI events for marketing purposes	Consent	Name, Image, Name of Child (where applicable), Relationship to Child (where applicable), Signature
Press Releases	To inform the press and public of events and developments within the NLI	Contract	Name, Email Address, Telephone Number, Address (including temporary address where relevant), Affiliations (e.g., educational), Employment Information
Reader Registration (NLI Reader's Ticket)	To identify individuals and allow them to use the NLI collections	Consent Contract	Name, Email Address, Telephone Number, Employment Information
Recruitment (including, pre-recruitment, recruitment and selection)	To register pre-recruitment candidates for employment, to review candidates for positions within the NLI and assess suitability, for ethics management	Contract Employment/Social Security (Special Category Data)	Name, Email Address, Telephone Number, Nationality, Visa Status, CV, Work and Educational History, Interview Notes
Recruitment - Referees	To confirm Educational and Employment Details of candidates for employment within NLI	Consent	Name, Email Address, Phone Number, Employment Information, Opinions given in confidence on performance
Regulatory Compliance	To comply with financial regulations and any other relevant laws	Legal Obligation Contract	Annual Reports, Financial Statements and Publications including audits, Board Meetings and Strategic Plans, Archiving and Destruction of Records, FOI and Data Protection Requests
Reprographic Orders	To fulfil requests from individuals / members of the publics for copies of items from the collection	Contract	Name, Email Address, Address, Phone Number
Schools Online Learning	To enable schools to book online sessions for students	Contract	Name, Email Address, Phone Number, Employment Information
School Competitions	To allow schools to register for competitions and to allow students to enter	Consent	Name, Email Address, Phone Number, Employment Information and AV content (e.g., video)
Self-Service Copying	To fulfil request from readers to copy and save requested material from the collection	Contract	Name, NLI Reader's Ticket Number
Social Media	To coordinate social media management, market our exhibitions, and communicate with our visitors and followers	Public Interest	Mixed Social Media Data (e.g., Name, Username, Profile Photo)
Speakers / Lecturers	To arrange and communicate with individuals who give talks and lectures and to advertise events	Contract	Name, Email Address, Telephone Number, Employment Information, Education Information
Summer Camps	To register and communicate with participants for NLI Summer Camps	Contract	Name, Email Address, Telephone Number, Name of Child attending camp
Surveys	To receive feedback from event attendees and members of the public on NLI services and events	Consent	Survey responses that may contain personal data (we do not ask for your name or other data)
Web Usage Data	To effectively operate online services and to analyse aggregate usage to enhance user services	Consent	Technical information, including Internet Protocol (IP) address, browser type and operating system, the date and time of when you access our site, the pages you visit; and the website from which you accessed our site including any search terms used
Third Party Data Sharing	To allow the NLI to conduct and carry out functions with third party service providers that enable us to deliver our services as a library and archive	Contract	Dependent on third party
Travelling Exhibitions	To allow museums, schools and libraries to host and book travelling exhibitions	Contract Public Interest	Name, Email Address, Telephone Number, Employment Information
Venue Hire	Facilitating the use of NLI sites for events	Contract	Name, Email Address, Telephone Number, Employment Information, Financial Information
Visitor Records	To record visitors (contractors and individuals visiting staff for meetings) to the NLI accurately	Consent Contract	Name, Telephone Number, Vehicle Registration and make, Employment Information

Special Category Data

We may collect sensitive data – or ‘Special Category Data’ – about you in order to assist you and to provide our service/s.

Data relating to health (e.g., if a visitor has accessibility requirements).

Personal data revealing religious or philosophical beliefs (e.g., dietary requirements at summer camps).
Personal data revealing racial or ethnic origin (e.g., your nationality via identification given).
Data concerning a natural person’s sex life or sexual orientation (e.g., gender via identification given e.g., passport, birth certificate when carrying out family history / heraldry requests).

Special Category Data and the NLI Collections

The NLI Collections contain personal data, including special category data, some of which relates to living individuals.

The special category data in the NLI collections includes data around racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union memberships, health data, and data concerning sex life and sexual orientation.

These collections may be closed in order to respect the data of individuals and are held for archiving purposes in the public interest.

Individuals should be aware that the Right to be Forgotten does not apply to the majority of the personal data in the NLI Collections due to the exemption for archiving (General Data Protection Regulation, Article 9 (j)) and Section 60 of the Data Protection Act (2018).

Children’s Data

We may collect children’s data in order to assist you and to provide our service/s to children. This is done with parental or guardian consent where a child is under the age of 16 years old.

Forename and Surname of children attending NLI events (e.g., Summer Camps)
Photographic or Video Images (where obtained with parental consent e.g., at exhibitions, talks)

Criminal Offence Data

The NLI does not collect any information about criminal convictions and offences.

Closed Circuit Television (CCTV)

The NLI has Closed Circuit Television (CCTV) in place in and around our buildings. We use CCTV to ensure the safety and security of NLI sites and to assist with the prevention and detection of crime or unlawful activities. We have fair processing notices in place and a CCTV Policy.

Reader Pre-Registration Form

In order to apply for a reader’s ticket, you must complete the online Reader Pre-Registration Form. The information supplied by you is used to create a computer record in your name which is stored in a database. The information which you provide at the registration stage allows us to fully process your application for a reader’s ticket and aids us in directing you to the appropriate service or collections. Additional voluntary information which you provide about yourself will be used only as a means of developing future services and - if you so indicate - alerting you about Library activities and events.

The NLI, Our Collection, and relevant legislation

The NLI’s mission is to collect, protect and make accessible the recorded memory of Ireland. The NLI is subject to legislation around the archiving and collection of records.

As a body cited in the schedule to the National Archives Act 1986, the National Library is subject to the National Archives Act 1986 and Regulations of 1988. The Act and Regulations are applicable to the archival management of records, including record disposal and retention. The NLI has a duty to abide by the Archives Act and to ensure records and data are kept in line with the Act.

The Act operates within a legal framework for the management of records that may also include other statutes relating to areas such as Data Protection, Freedom of Information, and legislation relating to specific areas of work such as cultural heritage, social protection and tax collection, among others.

No legislation takes precedence over the National Archives Act, 1986 with regard to the management of public records, including the destruction, retention or withholding of records. Before destruction, retention or withholding of records can take place, the provisions as set out in the National Archives Act, 1986 and Regulations, 1988 must be adhered to.

The lawful basis under which the NLI holds data in our archives is Art 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest.

Data is held by the NLI for archiving purposes (Art. 89(3) of the GDPR and Section 42 of the Data Protection Act 2018). Where personal data is being collected (processed) for archiving purposes in the public interest there are specific derogations from rights as outlined in GDPR Articles 15, 16 18 and 21.

The NLI is also governed by the National Cultural Institutions Act 1997 (S.I. 11/97). Section 12 (1) of the Act notes that ‘The principal functions of the Board of the Library shall be to conserve, restore, maintain and enlarge the library material in the collection of the NLI for the benefit of the public and to establish and maintain a record of library material (including material relating to the Irish language) in relation to Ireland.’

How long do we keep your data

The NLI may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.

Where data is not subject to the National Archives Act and Regulations, the NLI will only retain data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Third parties and disclosures of your personal data

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

When you consent to providing us with your personal data, we will also ask you for your consent to share your personal data with the third parties set out below. The NLI has contracts in place and carry out due diligence in regards to our suppliers and relevant third parties.

Third parties we may disclose your data to

Other Public service bodies such as the National Shared Service Office (NSSO), the National Archives and other bodies.
Service providers acting as processors based in Ireland and Europe who provide development, IT, and system administration and travel services.
Technical providers who are other entities that interact with us in connection with the services we provide.
Professional advisers acting as processors, controllers or joint controllers including lawyers, bankers, auditors and insurers based in Ireland who provide consultancy, banking, legal, insurance and accounting services.
Regulators and other authorities as processors, controllers or joint controllers based in Ireland who require reporting of processing activities in certain circumstances.

International transfers

Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission, or;
Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Security features/data location

Once the NLI have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way. The NLI utilises encryption, access controls and other features to ensure the security of your data.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

Information on consent

By consenting, where this is the appropriate and identified lawful basis for processing, to our processing your Personal Data in line with this Privacy Statement you are giving us permission to process your Personal Data specifically for the purposes identified.

You may withdraw consent at any time by providing an unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify withdrawal of consent to the processing of Personal Data relating to you. If you have any queries relating to withdrawing your consent, please contact our Data Protection Officer using the contact details set out below.

Withdrawal of consent shall be without effect to the lawfulness of processing based on consent before its withdrawal.

Your rights

Under certain circumstances, and dependent on legal basis under which your personal data is processed, by law you have the right to:

Request information about whether we hold Personal Data about you, and, if so, what that Personal Data is and why we are holding/using it.
Request access to your Personal Data (commonly known as a “Data Subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using your Personal Data or profiling of you.
Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
Request transfer of your Personal Data in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.

How do you exercise your rights?

We have appointed a Data Protection Officer to monitor compliance with our data protection obligations and with this Notice and our related policies. If you have any questions about this Notice or about our data protection compliance, please contact the Data Protection Officer.

If you wish to exercise your rights, please contact our Data Protection Officer who will respond to the request within one calendar month.

Our Data Protection Officer can be contacted as follows:
Email: dataprotection@nli.ie
Post: 4 Kildare Street, Dublin 2, D02 A322

Your right to lodge a complaint

You as the Data Subject have the right to complain at any time to a supervisory authority in relation to any issues related to our processing of your Personal Data. We would like to hear from you first if you have a complaint about how we use your data so that we may rectify the issue. As our organisation is located in Ireland and we conduct our data processing here, we are regulated for data protection purposes by the Irish Data Protection Commissioner.

You can contact the Data Protection Commissioner as follows:
Website: www.dataprotection.ie
Phone: +353 57 8684800 or +353 (0)761 104 800
Email: info@dataprotection.ie
Address: Data Protection Office – Canal House, Station Road, Portarlington, Co. Laois, R32 AP23. Or 21 Fitzwilliam Square Dublin 2. D02 RD28 Ireland

Changes to our Privacy Statement

This Privacy Statement is kept under regular review and is therefore subject to change. Changes will only apply to activities and information going forward, not a retroactive basis.

You are encouraged to review this Privacy Statement periodically to make sure that you understand how any personal information you provide will be used.

Any changes to this Privacy Statement will be posted on this website so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.

Cookies Policy

See our Cookies Policy.