Home, National Library of Ireland
Menu

Data Privacy Statement

Light coloured by a stained glass window refracted on a wall in the NLI's Main Library Building

The National Library of Ireland's Data Privacy Statement is effective as of 21 April, 2023.

“Data controllers” are the people or organisations that determine the purposes for which, and the manner in which, any Personal Data is processed, and make independent decisions in relation to the Personal Data and/or who/which otherwise control that Personal Data.

For the purposes of the General Data Protection Regulation (GDPR), the National Library of Ireland (NLI) is the data controller with regard to the Personal Data described in this Privacy Statement. The mission of the NLI is to collect, protect and make available the recorded memory of Ireland, caring for more than twelve million items including books, manuscripts, newspapers, photographs, prints, maps, drawings, ephemera, music and digital media.

The NLI has outsourced the function of the Data Protection Officer to XpertDPO Ltd.

Our Data Protection Officer can be contacted as follows:
Email: dataprotection@nli.ie
Post: 4 Kildare Street, Dublin 2, D02 A322

The purpose of this Privacy Statement is to provide you, as our data subject, with a statement regarding the Data Protection and Privacy practices and obligations of the NLI and an explanation of your rights as a data subject. 

This Privacy Statement applies to our organisational practices and our website, which is accessible from www.nli.ie

As the Organisation is established in the Republic of Ireland, this document is written in the vein of Irish Data Protection Law, and the NLI falls under the jurisdiction of the Irish Data Protection Commission. This Privacy Statement sets out what Personal Data we collect and process about you in connection with the services and functions of the Organisation. We are not responsible for the content or the privacy notices for any websites to which we may provide external links.

  • General Data Protection Regulation (EU Regulation 679/2016)
  • Irish Data Protection Acts 1988 to 2018
  • Regulations flowing from Data Protection Act 2018
  • ePrivacy Regulations 2011 implementing EU Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications,  otherwise known as ePrivacy Directive (ePD)
  • National Archives Act 1986, Regulations 1988

Data protection and privacy laws provide rights to individuals with regard to the use of their Personal Data by organisations, including our organisation. Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of Personal Data.

We must comply with data protection and privacy laws because the law requires us to but we also would like you to have confidence in dealing with us, and compliance with data protection law helps us to maintain a positive reputation in relation to how we handle Personal Data.

We are required to demonstrate accountability for our data protection obligations. This means that we must be able to show how we comply with the applicable data protection and privacy laws, and that we have in fact complied with the laws. 

We do this, among other ways, by our written policies and procedures, by building data protection and privacy compliance into our systems and business rules, by internally monitoring our data protection and privacy compliance and keeping it under review, and by acting if our representatives, including employees or contractors, fail to follow the rules. 

We also have certain obligations in relation to keeping records about our data processing.

All our representatives, which include employees and contractors, are required to comply with our Data Protection Policies and Procedures which inform this Privacy Statement when they process Personal Data on our behalf.

    We aim to comply with the following principles found in Data Protection Law:

    • Lawfulness, fairness and transparency – Personal data must be processed lawfully, fairly and in a transparent manner.
    • Purpose Limitation – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
    • Data minimisation – Personal Data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
    • Accuracy – Personal data must be accurate and, where necessary, kept up to date. Inaccurate Personal Data should be corrected or deleted.
    • Retention – Personal data should be kept in an identifiable format for no longer than is necessary.
    • Integrity and confidentiality – Personal data should be kept secure.
    • Accountability – Under the GDPR, we must not only comply with the above six general principles, but we must be able to demonstrate that we comply by documenting and keeping records of all decisions.

    Personal Data

    Personal information which you volunteer to the NLI through the use of web forms e.g., Reader Pre-Registration Form or email will be treated with the highest standards of security and confidentiality, strictly in accordance with the Data Protection Acts, 1988 to 2018 and the GDPR.

     

    The Types of Data we Collect

    Process

    Purpose

    Lawful Basis

    Type of Data

    Accessions

    Provenance information for collection management

    Contract
    Public Interest

    Name, Email Address, Address, Telephone Number, Financial Information 

    Accident Reports/Records

    To record and compile reports in case of an accident / injury on NLI premises

    Legal Obligation

    Name, Telephone Number, Image/s, Medical Information

    Acquisitions

    To communicate with vendors and donors around acquisitions 

    Contract
    Public Interest

    Name, Email Address, Address, Telephone Number, Financial Information, Employment Information

    Administration

    To perform general administrative tasks within the NLI

    Public Interest
    Legal Obligation

    Meetings of Minutes, Diary Management and Agendas, Complaints

    Archivist on Duty Reference Service

    To provide archivist on duty reference services

    Contract

    Name, Email Address, Address, Telephone Number, NLI Reader's Ticket Number

    Back Ups

    To store personal data and make back-ups of that data in case of emergencies and for disaster recovery purposes

    Legal Obligation

    NLI data is securely backed up on a regular basis

    Board and Committee Details and Reports

    To inform public of any appointments, meetings and outcomes and to comply with relevant legislation

    Contract
    Legal Obligation

    Name, Employment Information, Short Biography that may contain personal data

    CCTV

    For safety and security purposes for NLI sites and to assist with the prevention and detection of crime or unlawful activities.

    Public Interest

    CCTV Recordings and Still Images (where applicable)

    Donations / Deeds of Gift

    To receive collection donations / deeds of gift for the NLI collection

    Contract

    Name, Email Address, Address, Telephone Number, Financial Information, Employment Information, Details about how material was acquired that may contain personal data

    Communication Management - Email and Post

    To manage and respond to emails that come into NLI Email Inboxes, to receive and send post

    Contract

    Name, Email Address, Address, Telephone Number, Financial Information, Employment Information, Mixed data / contents that may contain personal data

    Event Invoices

    To allow transfer of payment to guest speakers and event facilitators

    Contract

    Name, Email Address, Address, Telephone Number, Financial Information, Employment Information

    Exhibition Information

    To display exhibition information to visitors and members of the public

    Public Interest

    Name, Image/s

    Exhibition Images / Posters

    To advertise and promote NLI exhibitions 

    Public Interest

    Images and text from NLI catalogue of natural (living) persons

    Export Licences

    To fulfil requests from various bodies for export licences and to enable transport of material outside the country within the EU

     Contract

    Name, Email Address, Address, Phone Number, Employment Information

    Group Visits

    To manage, book and contact groups for Onsite Group Visits

    Contract
    Consent

    Name, Email Address, Telephone Number, Name of Group, Accessibility Requirements

    Heraldry and Genealogy

    To process requests for applications for a grant of arms, genealogy and heraldry requests, and to reply to research and other queries

    Contract
    Consent (Special Category Data)

    Name, Email Address, Address, Telephone Number, Financial Information, Copy of Birth Certificate / Passport 

    Librarian on Duty

    To deliver Librarian on Duty Services and respond to queries about the NLI collection

    Consent
    Contract

    Name, Email Address, Address, queries that may contain mixed personal data 

    Loan Applications

    To fulfil requests from other cultural bodies for the loan of NLI collection material

    Contract

    Name, Email Address, Address, Phone Number, Employment Information, Signature

    Mailing Lists

    To send relevant communications out to individuals who are registered subscribers to NLI Mailing Lists

    Consent

    Name, Email Address

    NLI Courses

    To register and communicate with participants for NLI courses / learning events

    Contract

    Name, Email Address, Telephone Number, Online Meeting Identifiers, Employment Information

    NLI Online Events

    To allow individuals to register and participate in NLI online events

    Contract

    Name, Email Address, Address (optional)

    Online Collection Orders

    To process and fulfil requests from readers to allow them to order items from the collection

    Contract

    Name, Email Address, Telephone Number, NLI Reader's Ticket Number

    Parish Registers

    To respond and assist with queries about Parish registers

    Consent
    Contract

    Name, Email Address, Address, queries that may contain mixed personal data 

    Payments

    To make and receive payments in the course of normal NLI business 

    Contract
    Legal Obligation

    Name, Email Address, Financial information (e.g., bank name, address, IBAN, invoice payments)

    Permissions Applications

    To fulfil requests from individuals / members of the public to publish/reproduce material from the collection

    Contract

    Name, Email Address, Address, Phone Number

    Photography / Video

    Taking photographs and video at NLI events for marketing purposes

    Consent

    Name, Image, Name of Child (where applicable), Relationship to Child (where applicable), Signature

    Press Releases

    To inform the press and public of events and developments within the NLI 

    Contract

    Name, Email Address, Telephone Number, Address (including temporary address where relevant), Affiliations (e.g., educational), Employment Information

    Reader Registration (NLI Reader's Ticket) 

    To identify individuals and allow them to use the NLI collections

    Consent
    Contract

    Name, Email Address, Telephone Number, Employment Information

    Recruitment (including, pre-recruitment, recruitment and selection)

    To register pre-recruitment candidates for employment, to review candidates for positions within the NLI and assess suitability, for ethics management

    Contract
    Employment/Social Security (Special Category Data)

    Name, Email Address, Telephone Number, Nationality, Visa Status, CV, Work and Educational History, Interview Notes

    Recruitment - Referees

    To confirm Educational and Employment Details of candidates for employment within NLI

    Consent

    Name, Email Address, Phone Number, Employment Information, Opinions given in confidence on performance

    Regulatory Compliance

    To comply with financial regulations and any other relevant laws

    Legal Obligation
    Contract

    Annual Reports, Financial Statements and Publications including audits, Board Meetings and Strategic Plans, Archiving and Destruction of Records, FOI and Data Protection Requests

    Reprographic Orders

    To fulfil requests from individuals / members of the publics for copies of items from the collection

    Contract

    Name, Email Address, Address, Phone Number

    Schools Online Learning

    To enable schools to book online sessions for students

    Contract

    Name, Email Address, Phone Number, Employment Information

    School Competitions

    To allow schools to register for competitions and to allow students to enter

    Consent

    Name, Email Address, Phone Number, Employment Information and AV content (e.g., video)

    Self-Service Copying

    To fulfil request from readers to copy and save requested material from the collection

    Contract

    Name, NLI Reader's Ticket Number

    Social Media

    To coordinate social media management, market our exhibitions, and communicate with our visitors and followers

    Public Interest

    Mixed Social Media Data (e.g., Name, Username, Profile Photo)

    Speakers / Lecturers

    To arrange and communicate with individuals who give talks and lectures and to advertise events

    Contract

    Name, Email Address, Telephone Number, Employment Information, Education Information

    Summer Camps

    To register and communicate with participants for NLI Summer Camps

    Contract

    Name, Email Address, Telephone Number, Name of Child attending camp

    Surveys

    To receive feedback from event attendees and members of the public on NLI services and events

    Consent

    Survey responses that may contain personal data (we do not ask for your name or other data)

    Web Usage Data

    To effectively operate online services and to analyse aggregate usage to enhance user services

    Consent

    Technical information, including Internet Protocol (IP) address, browser type and operating system, the date and time of when you access our site, the pages you visit; and the website from which you accessed our site including any search terms used

    Third Party Data Sharing

    To allow the NLI to conduct and carry out functions with third party service providers that enable us to deliver our services as a library and archive

    Contract

    Dependent on third party

    Travelling Exhibitions

    To allow museums, schools and libraries to host and book travelling exhibitions

    Contract
    Public Interest

    Name, Email Address, Telephone Number, Employment Information

    Venue Hire

    Facilitating the use of NLI sites for events

    Contract

    Name, Email Address, Telephone Number, Employment Information, Financial Information

    Visitor Records

    To record visitors (contractors and individuals visiting staff for meetings) to the NLI accurately

    Consent
    Contract

    Name, Telephone Number, Vehicle Registration and make, Employment Information

     

    Special Category Data

    We may collect sensitive data – or ‘Special Category Data’ – about you in order to assist you and to provide our service/s. 

    • Data relating to health (e.g., if a visitor has accessibility requirements).
    • Personal data revealing religious or philosophical beliefs (e.g., dietary requirements at summer camps).
    • Personal data revealing racial or ethnic origin (e.g., your nationality via identification given).
    • Data concerning a natural person’s sex life or sexual orientation (e.g., gender via identification given e.g., passport, birth certificate when carrying out family history / heraldry requests).

     

    Special Category Data and the NLI Collections

    The NLI Collections contain personal data, including special category data, some of which relates to living individuals.

    The special category data in the NLI collections includes data around racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union memberships, health data, and data concerning sex life and sexual orientation.

    These collections may be closed in order to respect the data of individuals and are held for archiving purposes in the public interest.

    Individuals should be aware that the Right to be Forgotten does not apply to the majority of the personal data in the NLI Collections due to the exemption for archiving (General Data Protection Regulation, Article 9 (j)) and Section 60 of the Data Protection Act (2018).

     

    Children’s Data

    We may collect children’s data in order to assist you and to provide our service/s to children. This is done with parental or guardian consent where a child is under the age of 16 years old.

    • Forename and Surname of children attending NLI events (e.g., Summer Camps)
    • Photographic or Video Images (where obtained with parental consent e.g., at exhibitions, talks)

     

    Criminal Offence Data

    The NLI does not collect any information about criminal convictions and offences.

     

    Closed Circuit Television (CCTV)

    The NLI has Closed Circuit Television (CCTV) in place in and around our buildings. We use CCTV to ensure the safety and security of NLI sites and to assist with the prevention and detection of crime or unlawful activities. We have fair processing notices in place and a CCTV Policy

     

    Reader Pre-Registration Form

    In order to apply for a reader’s ticket, you must complete the online Reader Pre-Registration Form. The information supplied by you is used to create a computer record in your name which is stored in a database. The information which you provide at the registration stage allows us to fully process your application for a reader’s ticket and aids us in directing you to the appropriate service or collections. Additional voluntary information which you provide about yourself will be used only as a means of developing future services and - if you so indicate - alerting you about Library activities and events.

    The NLI’s mission is to collect, protect and make accessible the recorded memory of Ireland. The NLI is subject to legislation around the archiving and collection of records.

    As a body cited in the schedule to the National Archives Act 1986, the National Library is subject to the National Archives Act 1986 and Regulations of 1988. The Act and Regulations are applicable to the archival management of records, including record disposal and retention. The NLI has a duty to abide by the Archives Act and to ensure records and data are kept in line with the Act.

    The Act operates within a legal framework for the management of records that may also include other statutes relating to areas such as Data Protection, Freedom of Information, and legislation relating to specific areas of work such as cultural heritage, social protection and tax collection, among others.

    No legislation takes precedence over the National Archives Act, 1986 with regard to the management of public records, including the destruction, retention or withholding of records. Before destruction, retention or withholding of records can take place, the provisions as set out in the National Archives Act, 1986 and Regulations, 1988 must be adhered to.

    The lawful basis under which the NLI holds data in our archives is Art 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest. 

    Data is held by the NLI for archiving purposes (Art. 89(3) of the GDPR and Section 42 of the Data Protection Act 2018). Where personal data is being collected (processed) for archiving purposes in the public interest there are specific derogations from rights as outlined in GDPR Articles 15, 16 18 and 21.

    The NLI is also governed by the National Cultural Institutions Act 1997 (S.I. 11/97). Section 12 (1) of the Act notes that ‘The principal functions of the Board of the Library shall be to conserve, restore, maintain and enlarge the library material in the collection of the NLI for the benefit of the public and to establish and maintain a record of library material (including material relating to the Irish language) in relation to Ireland.’

    The NLI may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.

    Where data is not subject to the National Archives Act and Regulations, the NLI will only retain data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

    To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

    We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

    When you consent to providing us with your personal data, we will also ask you for your consent to share your personal data with the third parties set out below. The NLI has contracts in place and carry out due diligence in regards to our suppliers and relevant third parties.

    • Other Public service bodies such as the National Shared Service Office (NSSO), the National Archives and other bodies.
    • Service providers acting as processors based in Ireland and Europe who provide development, IT, and system administration and travel services.
    • Technical providers who are other entities that interact with us in connection with the services we provide.
    • Professional advisers acting as processors, controllers or joint controllers including lawyers, bankers, auditors and insurers based in Ireland who provide consultancy, banking, legal, insurance and accounting services.
    • Regulators and other authorities as processors, controllers or joint controllers based in Ireland who require reporting of processing activities in certain circumstances.

    Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.  

    Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

    • We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission, or;
    • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.

    Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

    Once the NLI have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way. The NLI utilises encryption, access controls and other features to ensure the security of your data.

    We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so. 

    By consenting, where this is the appropriate and identified lawful basis for processing, to our processing your Personal Data in line with this Privacy Statement you are giving us permission to process your Personal Data specifically for the purposes identified.

    You may withdraw consent at any time by providing an unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify withdrawal of consent to the processing of Personal Data relating to you. If you have any queries relating to withdrawing your consent, please contact our Data Protection Officer using the contact details set out below.

    Withdrawal of consent shall be without effect to the lawfulness of processing based on consent before its withdrawal.

    Under certain circumstances, and dependent on legal basis under which your personal data is processed, by law you have the right to:

    • Request information about whether we hold Personal Data about you, and, if so, what that Personal Data is and why we are holding/using it.
    • Request access to your Personal Data (commonly known as a “Data Subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
    • Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
    • Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
    • Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
    • Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using your Personal Data or profiling of you.
    • Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
    • Request transfer of your Personal Data in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.

    We have appointed a Data Protection Officer to monitor compliance with our data protection obligations and with this Notice and our related policies. If you have any questions about this Notice or about our data protection compliance, please contact the Data Protection Officer.

    If you wish to exercise your rights, please contact our Data Protection Officer who will respond to the request within one calendar month.

    Our Data Protection Officer can be contacted as follows:
    Email: dataprotection@nli.ie
    Post: 4 Kildare Street, Dublin 2, D02 A322

    You as the Data Subject have the right to complain at any time to a supervisory authority in relation to any issues related to our processing of your Personal Data. We would like to hear from you first if you have a complaint about how we use your data so that we may rectify the issue. As our organisation is located in Ireland and we conduct our data processing here, we are regulated for data protection purposes by the Irish Data Protection Commissioner.

    You can contact the Data Protection Commissioner as follows:
    Website: www.dataprotection.ie
    Phone: +353 57 8684800 or +353 (0)761 104 800
    Email: info@dataprotection.ie
    Address: Data Protection Office – Canal House, Station Road, Portarlington, Co. Laois, R32 AP23. Or 21 Fitzwilliam Square Dublin 2. D02 RD28 Ireland

    This Privacy Statement is kept under regular review and is therefore subject to change. Changes will only apply to activities and information going forward, not a retroactive basis. 

    You are encouraged to review this Privacy Statement periodically to make sure that you understand how any personal information you provide will be used.

    Any changes to this Privacy Statement will be posted on this website so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. 

    See our Cookies Policy.