Questions about town and parish councils
Follow Councillor Q&A on X/Twitter

Follow us on X/Twitter

0 votes
I submitted a claim for travel on behalf of the council as agreed and signed it. The clerk then published the document with my signature fully visible (ie not redacted) on the council website and to other councillors. When this error was pointed out at a council meeting, no apology or information about how the problem would be dealt with was forthcoming from the clerk or the chairman. Does the clerk's action constitute a breach of the council's GDPR?
by (680 points)

2 Answers

0 votes
Yes, once realised, or reported to, the organisation responsible for the breach they are required to self report to the ICO.

There needs to be an immediate remediation by the organisation responsible, a statement of the breach and the remedial action provided to the subject so that damage limitation may be initiated.

This also needs to be recorded in Section 1 para 3 of the AGAR as a non-compliance.
The assertion at para 3 is "We took all reasonable steps to assure ourselves that there are no matters of actual or potential for non-compliance with laws, regulations that could have significant financial effect on the ability of this authority to conduct its business or manage its finances".
A fine from ICO certainly WOULD effect business and management of finances.

Does your council have a data protection officer (DPO)?  This is bread and butter stuff so if they are getting it wrong there are likely to be significant systemic deficiencies.

Happy to provide links / references if required but simple search at ICO will provide most answers.  Yes, I have submitted several successful FOIs and reports of data breaches in relation to a PC and have had positive (albeit very slow) responses from ICO.
by (19.3k points)
0 votes
This is a data breach and should be recorded in your Council's breach log. It has to be reported to the ICO within 72 hours if the Council determines there is a risk of harm to you as a result (this can include distress as well as risk of identity theft). All councillors who received a copy of your signature should have been immediately asked to confirm in writing they had destroyed it.

If the matter is reported to the ICO the most likely outcome is that the Council will be asked to tighten up its procedures to prevent a re-occurance. It is unlikely that the Council will be fined.
by (2.9k points)
edited by
I’d suggest the likelihood of ICO fine (or other sanction) is dependent upon the case history for any given organisation combined with the seriousness of whatever is the latest transgression.
Therein lies the importance of reporting / self reporting breaches so as to enable ICO to formulate an organisational profile and track record of previous breaches and remedies.
No single individual instance can provide a realistic assessment of the probability or severity of ICO action - that can only be assessed by consideration (by the ICO) of systemic shortfalls.
RAC I don't disagree that is how it should work. However, the legislation only requires you to report a breach when it meets the harm threshold. Indeed, the ICO has actively discouraged organisations from reporting breaches that don't meet the threshold, so the ICO will never have a full picture of an organisation's compliance. The current Commissioner has also said that he is reluctant to fine public bodies since the fine will ultimately be paid from public funds/the taxpayer. His preference is to 'name and shame'.
Similarly don’t disagree );0)

A PC should still self report via AGAR and I think it’s a reasonable assumption that publication of a signature ‘could’ cause direct harm.
Should the council inform its internal auditor of the breach if it may affect the council's AGAR add finances?
I'd be grateful to receive the ICO chapter and verse on this matter if RoundAgainCoxn could let me have it. Also, are there any rulings published by NALC on how councils should act when there has been a breach of GDPR? Thanks
What I can give you is this….

Here is the link to the ICO webpage which details what constitutes, how and when to report a breach:
https://icosearch.ico.org.uk/s/search.html?query=data+breach&collection=ico-meta&profile=_default

Also, this is the question in Section 1 Assertion 3 of the AGAR:

“…We took all reasonable steps to assure ourselves that there are no matters of actual or potential non-compliance with laws, regulations and Proper Practices that could have a significant effect on the ability of this authority to conduct its business or manage its finances…”

The ‘decision’ about whether a data breach should be reported must be made by the people with responsibility for which ever organisation it is that is asking itself the question - guidance is available from the ICO chat bot.

In the case of a PC, there may be a nominated Data Protection Officer.

If a breach is decided by the organisation and it is reported to the ICO it then becomes a matter for that council to consider the question in Assertion 3.  Can it, under all of the prevailing circumstances affirm that all reasonable steps, actual or potential non-compliance, significant impact on ability to conduct business / manage finances etc etc….

These are the boundaries within which a PC ‘should’ operate, the PC then has to mark its own homework with self certification - there is little chance the Internal Audit will be of any use.

The decision lays entirely with the subject council, their depth of understanding, how diligently they may apply the existing regs and whether they are willing to navel gaze…
NALC reference - not brilliant - but the extract from NALCs PRIVACY NOTICE FOR STAFF, COUNCILLORS AND ROLE HOLDERS / THOSE DOING WORK FOR NALC states under what circumstances data may be “shared.”
The obvious extrapolation being, if data were to be shared OUTSIDE of these parameters (whether by intent or accident) - it must be a breach (of policy and of statute)

https://www.nalc.gov.uk/members-area/privacy-notice


As follows:

SHARING YOUR PERSONAL DATA
Your personal data will only be shared with third parties including other data controllers where it is necessary for the performance of the data controllers’ tasks or where you first give us your prior consent.  It is likely that we will need to share your data with:
Our agents, suppliers and contractors. For example, we may ask a commercial provider to manage our HR/ payroll functions, or to maintain our database software;
Other data controllers, such as local authorities, public authorities, central government and agencies such as HMRC
Staff pension providers
Former and prospective employers
DBS services suppliers
Payroll services providers
Recruitment Agencies
Credit reference agencies
Professional Advisors
Trade unions or employee representatives
IT service provider

Welcome to Town & Parish Councillor Q&A, where you can ask questions and receive answers from other members of the community. All genuine questions and answers are welcome. Follow us on Twitter to see the latest questions as they are asked - click on the image button above or follow @TownCouncilQA. Posts from new members may be delayed as we are unfortunately obliged to check each one for spam. Spammers will be blacklisted.

You may find the following links useful:

We have a privacy policy and a cookie policy.

Clares Cushions logo Peacock cushion

Clare's Cushions creates beautiful hand made cushions and home accessories from gorgeous comtemporary fabrics. We have a fantastic selection of prints including Sophie Allport and Orla Kiely designs and most covers can be ordered either alone or with a cushion inner. Buying new cushions is an affordable and effective way to update your home interior, they're also a great gift idea. Visit our site now

2,895 questions
5,617 answers
7,949 comments
10,028 users
Google Analytics Alternative