Questions about town and parish councils
Follow Councillor Q&A on X/Twitter

Follow us on X/Twitter

0 votes
Between convened meetings on 8 Marach our Clerk completed and sent off a ICO data breach form without any prior consultation, input or resolution by the council who were not privy to its contents, their accuracy or the fact that the Clerk, acting as DPO, had a conflict of interest in filling in the form as they had themselves caussed the data breach. Now the Clerk's actions are to be rubber stamped in which I assume will be a retrospective decision made at a council meeting tonight. Is this appropriate? Also, when I asked the Clerk to provide all correspondence showing advice on the matter provided to our council by our ALC/SLCC, none has been forthcoming. I also asked who authorised/instructed the Clerk to send off the form before it had been properly approved by the council voting in person at a convened council meeting. No response to that either. Although I wrote about the breach to the Chairman, I have never received an answer from them, even though my signature was published to councillors and on the council website for a month before anything was done by the Clerk, who has not informed our borough council MO or our auditor of the breach.
by (680 points)

3 Answers

+3 votes
I am not sure if I have missed something here but the Clerk is legally obliged to report a breach to the ICO and I would imagine there is a requirement to do this as quickly as possible.  I am not sure the reason as to why the council would be expected to approve the submission to the ICO - it is not something that is up for debate or choice...

As for the correspondence with the SLCC and ALC, there might not be any...?  If the Clerk knew that they did something wrong then why would they need confirmation from another organisation?

It seems to me that despite the fact that it was the Clerk was the one at fault and caused the breach, they had the courage to report themselves quickly to the ICO and that is the correct course of action rather than deny it happening and not owning up to their mistake.
by (24.3k points)
+2 votes
From what you have said I do not think the clerk had a conflict of interest - actually, quite the opposite.  Acting as DPO, I believe the clerk had a duty to report the breach as soon as reasonably possible and should be commended for doing so.  That, of course, assumes we have the full information.
by (9.8k points)
+2 votes
You have to report breaches within 72 hours if you are going to. So no time for a meeting

The Clerk made an error, has owned up to it and made the relevant moves. I did a small breach the other day. I called the ICO who confirmed it was a breach and had to do a risk assessment, state what had happened, agree if it was harmful, or likely to cause harm, agree mitigations so it wouldn’t happen again. Due to the nature and the fact it was not harmful I didn’t have to do a full report within 72 hours, but will be advising council.
by (840 points)
The data breach was not reported to the ICO within 72 hours of it being pointed out to the council and the Clerk. In fact, it took the Clerk some three weeks after the meeting to report it, and then only after I had raised the breach with the Chairman and asked what the council had done about it. The Chairman did not and still has not replied to my email.
When I asked who is the DPO of our council, the Clerk replied that "under the parish council privacy policy...the Clerk has specific responsibility for data protection within the council".
I quite reasonably took it that the Clerk was the council's DPO, a situation which I now discover is not recommended by NALC due to potential conflict of interest issues, lack of  independence, knowlege/experience/training in data protection etc.NALC recom
In their ICO form the Clerk admits that to having had no training in Data Protection. Why then had the Clerk claimed to have specific responsibility for data protection within the council and published that fact in a privacy policy document?
Am I wrong to construe from the Clerk's claim that the only person in the council who has specific responsibility for data protection within the council must be the DPO?
I ask because at the next council meeting the Clerk claimed that they are not the DPO, that they filled in the ICO form as a personal breach rather than as DPO acting on behalf of the Council - ie the organisation that is resonsible for the breach.
As the Clerk/Legal Officer/DPO claims to be responsible for the breach in the first place why did they did not report it to the ICO within the time deadline required rather than waiting three weeks to do so?
The Clerk claims to be DPO in one breath and in another denies they are anything but. And in the next breath, they claim that the parish council has never appointed a DPO. That extraordinary statement was backed up by the Chairman..
It makes no sense and is certainly neither transparent nor open to members or residents to comprehend.
So where does that leave the subject of the breach who has received no proper written apologyor explanation for the breach from the Clerk or the Council, despite it being a high risk breach that could have/still might result in identity fraud?
The Clerk won't answer my requests for clarification saying that they consider the matter closed and any more correspondence from me on the matter will be treated as 'vexatious'.
I had a feeling there was more to this than the “back-slippers” had realised.
In part, if you’d been more detailed in the original question, there might have been a more considered set of responses but at least we’re getting to the nub of it now.
Sounds like a classic and perennial case of a clerk not knowing their role, having shortfalls pointed out to them then recoiling under misapplication of imagined authority and claiming bullying, intimidation or compromise of their professionalism.
Same old, same old….
I would have been more explicit but some of the revelaations did not occur until yesterday. During the meeting the Clerk suggested that it was all my fault because I had not reported the breach until some time after it happened and then did so in public in a council meeting, which the Clerk considered was suspicious.Was the Clerk suggesting that I acted out of malice? That was certainly my perception and probaby that of others attending the meeting including a member of the public. My point remains - when is a DPO not a DPO? I am seen as the villain by all and sundry when in fact I am the victim.
I TOTALLY get what you are saying! Been there, it’s no fun.
I’ll PM you later.
I bet if I did a pen picture of some key characters in your PC I reckon I’d be (a) pretty close and (b) mirroring exactly what mine was like.
Stick to your guns!
Sad but true!

Welcome to Town & Parish Councillor Q&A, where you can ask questions and receive answers from other members of the community. All genuine questions and answers are welcome. Follow us on Twitter to see the latest questions as they are asked - click on the image button above or follow @TownCouncilQA. Posts from new members may be delayed as we are unfortunately obliged to check each one for spam. Spammers will be blacklisted.

You may find the following links useful:

We have a privacy policy and a cookie policy.

Clares Cushions logo Peacock cushion

Clare's Cushions creates beautiful hand made cushions and home accessories from gorgeous comtemporary fabrics. We have a fantastic selection of prints including Sophie Allport and Orla Kiely designs and most covers can be ordered either alone or with a cushion inner. Buying new cushions is an affordable and effective way to update your home interior, they're also a great gift idea. Visit our site now

2,917 questions
5,660 answers
10,037 users
Google Analytics Alternative