E. Mark Windle 17 August 2022
As biographers, we are in a privileged position. Rarely do individuals expose their life story, or at least a significant chunk of it, in such detail to another party outside of their immediate family and social circle, perhaps other than in counselling (or to their confessor). Clients welcome us into their lives over several interview sessions to share recollections of positive or traumatic life events, hopes and fears, achievements and failings, lessons learned through their experience and their advice for the younger generation or for those yet to come. A huge amount of personal information is imparted in this collaboration, and the writer’s moral and legal obligation is to assure the storyteller it will be kept discretely.
Data protection may not be a topic always at the forefront of non-fiction creative minds, but it should be. The legal consequences of leaked personal information can be catastrophic, and the damage to the writer’s professional reputation irreparable. Financial implications can also be long lasting. The Information Commissioner’s Office—the UK’s data processing watchdog and regulator—has the power to deliver penalties of up to £17.5M for failure to maintain personal information safely, or to report and manage data leaks when they have occurred.
Most countries have some form of legal framework surrounding the core philosophy that individuals have an undisputed right to privacy and control over how their personal information is used. In the UK we have the Data Protection Act 2018, which underpins further legislation for data processing provided by the ICO in the form of the UK General Data Protection Regulation (UK GDPR is essentially a subtle adaptation of pre-Brexit EU regulations).
Combined, the Data Protection Act and UK GDPR highlight a number of fundamental responsibilities for anyone holding third party personal information:
- Information must be used lawfully
- Its purpose must be limited (only collect the type data required for the reason made clear to the client; data must not be recycled for any undisclosed use)
- Data collection must be minimised—only collect the quantity of data required for the purpose intended
- Data kept must be accurate and up to date
- Storage of data must be limited (kept only for as long as necessary)
- Integrity and confidentiality must be maintained (ensure data is stored securely)
So what exactly is personal data? The ICO definition is “any information that relates to an identified or identifiable individual”. Immediately, we think of a name, maybe a national insurance or social security number, an email address or bank account details. For any business or sole trader, the ICO demands a demonstration of accountability through the implementation of risk assessment, privacy statements, and contingency plans in the event of data breaches. Self-employed writers who directly process personal information, such as that required to obtain client payment or for communication purposes, will fall under this category and should be registered annually with the ICO to formally declare compliance to UK GDPR. Fully contracted employees of biography service providers (as opposed to freelancers) may be less likely to require registration, but a wise move is for all writers to consult ICO criteria for mandatory registration and risk assessment if they feel unsure about the legal implications of how they handle data.
At the end of the day, whether or not you are a data processor in the eyes of the ICO, everyone is bound by general principles of data protection under the Act, and there are other forms of personal information that require protection, including some unique to our profession. Assuming the biographer has done their job well, a relationship of trust evolves over a series of one-to-one sessions and peripheral research. As the client opens up, the inquiry elicits storytelling riddled with all sorts of nuggets: times, places, dates, names, events and relationships. This information may relate directly to the storyteller, or to friends and family, or other third parties including businesses and institutions. All of this is privileged information. In certain hands, it’s pretty hard to think of more potentially person-identifiable material than a detailed recording, transcription or written draft of a client’s life story.
We also know that it is human nature to relay life events with a twist. Personal perspective given in the course of interview is not always the same as truth. This is another reason why personal information should be held dear—so that conversations further down the line can clarify inaccuracies or what may be potentially defamatory if prematurely put out in the public domain. Not all information collected in interview is destined for the final manuscript: the writer sifts content as the manuscript draft develops. But the fact remains that all content shared must be protected. It goes beyond the written word too—consider photographs, documents and certificates shared by the storyteller to support anecdotes or to illustrate achievements. The subject should be assured from the outset that any information collected during client-writer interactions will be dealt with sensitively, confidentially, will only be kept for as long as necessary, and used only for the purpose intended.
So, what practical steps are involved for the biographer? A logical start would be a review of the actual means of storage. Good practice involves centralisation. Keeping data in as few places as possible doesn’t only mean easier access, but also less likelihood of information less to be forgotten or lost. It goes without saying that storage should be as secure as possible. Some form of locked facility such as a cabinet—in a secure building—is the obvious option for most physical material like writer-client contracts, letters, photographs, certificates, and hand-written manuscripts. Avoid hoarding previous book drafts in physical page form.
As far as digital content is concerned, interview sessions recorded on mobile phones or other devices should be deleted when no longer required, or if needed for later work, transfer them over to a protected digital file. Word processing documents, communications, scanned photos or audio files can be password-protected individually or contained within a password-protected central folder for each project. USB devices are notoriously easy to misplace and in reality are now obsolete—other alternative back-up technologies are available. If out and about, perhaps travelling to a client’s home or other venue to conduct interviews, laptops, recording equipment and paperwork should always be carried with the writer, or at least kept out of sight in a locked car boot if not in use. None of this is rocket science of course. Equally it’s easy to overlook security or momentarily let vigilance slip.
A final word for now: the requirement for keeping data only as long as necessary (then to be destroyed or deleted) differs depending on the nature of the content kept, even for the same client or writing project. In the UK, for self employed individuals and organisations, information held for client payment collection purposes requires retention for at least six years, as Her Majesty’s Revenue and Customs office has legal authority to recall records for up to this period for tax audit activities. Other information, such as transcripts or formative and final drafts and annotations should be kept only until the job is done. Some kind of milestone usually marks this point, such as an editor-approval of a final manuscript, or final book production and publication.
Data protection is a legal requirement. But it’s also about maintaining reputation, and a declaration of respect for others. If you can demonstrate the methods you take to keep your subject’s information safe, data protection can even be a marketing tool, instil trust, and enhance the client-writer relationship. Read more about the importance of data protection, the work of the ICO, and requirements to meet UK GDPR at https://ico.org.uk/
Copyright 2022. E. Mark Windle is a freelance writer and biographer, working independently, as a senior writer with Story Terrace (London, UK), and as a writer for Sheridan Hill / Real Life Stories LLC (North Carolina, USA). Contact him via https://windlefreelance.com/contact/