Possible GDPR

Question

As a Parish Council we have been have issues with our Clerk.

We have been trying to get a contingency plan in place in the event that she is on long term sick etc...

Whilst the Personnel Committee has been trying to get an appointment with her to get this started, she has stated that she has been showing her daughter, not and employee or councillor, what she does, as if she can stand in for her.

Can someone help with if this is a breach of GDPR or any other regulations etc...

Also what contingency plans do you all have in these circumstances.

Thank you

Answer 1

After all my years involved with Parish Councils I sometimes think I’ve seen everything but I’m clearly wrong

I’m always amazed how many organisations don’t do contingency planning as it’s critical to have plans in place and subject them to regular review

You should constantly be asking what if this or that happens
It’s your Council so you decide how to plan but you clearly have to involve the Clerk as you need to organise  how any handover would take place

Trying to keep it in house using a relative would set alarm bells ringing to me just like staff who won’t go on holiday

Comments

Whilst it is perhaps based in a desire to "help out" it is not for the Clerk to take such actions on themselves. It is a decision entirely for the council to make and implement what contingencies are to be put in place to cover such eventualities. Of course a good council would call on the experience of their clerks input  to make the transition from the clerk  as smooth as possible and once the need of contingency has passed back to the clerk. There is also the matter of clerks contract obligations to be considered in such cases.

---

When I was a clerk I was always nervous of attempts at "contingency planning" by some as in itself it represented a GDPR/Data Protection breach.  However, the simplest form of contingency plan involves (a) storing records etc. on the cloud so they can, in theory, be accessed from anywhere or any device with the appropriate passwords, (b) keeping a separate copy of the password in a sealed envelope, often in the care of the chair which can/should only be opened in the presence of someone else and (c) involving your local county association who often are able to provide a locum clerk at short notice.  It's not usually necessary if the clerk is simply a little off colour but sudden accident or even death can and does happen, sadly.

---

I agree with Graeme_r. If the personal data of Councillors, parishioners or others has been shared with her daughter that unauthorised access (in other words not authorised by the Parish Council)  is a breach of the UK GDPR.
As data controller the Parish Council must decide whether any sharing which has taken place is likely to cause financial or non-financial harm to those impacted. For example, might it include sensitive data or the level of information shared be sufficient to expose an individual to identity theft?

If a risk of harm is likely the Parish Council will need to report the breach to the ICO. If there is a high risk of harm you will also need to inform the individuals whose data has been shared.

Answer 2

A proper contingency plan would specify suitable people to stand in as a deputy clerk, or measures that would need to be followed to identify such people and engage them. The plan would need to be approved by the whole council, particularly if the clerk is also the responsible financial officer. In theory the Clerk's daughter may be able to fulfil the role but only if the Council can determine what criteria she would need to meet,

GDPR breach depends what "showing" her daughter involves.  On the abscence of demonstrable compliance being established, if showing involves her daughter processing any paritioner data or correspondence with someones personal data on it, that could be a breach.

Making copies of it, extracting it and storing copies on a non council PC, storage or network drive would be a breach.