I sent the following to the CEO of the ICO on 25Feb18. I will post her answer as soon as it comes.
Dear Ms Denham,
In your FAQs at https://ico.org.uk/for-organisations/local-government/local-gov-gdpr-faqs/
you say that a small local council must appoint a DPO because it is a public authority.
EUGDPR.org says at https://www.eugdpr.org/key-changes.html
at the bottom of the page “….DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.” [my emphasis][It does not show here but it was the word "only"]
The EUGDPR.org advice quite clearly does not apply to small parish councils who do not collect data, do not store data and do not process data within the meaning of the GDPR. As the Data Protection Act and the forthcoming GDPR, which anyway may be repealed after 31Mar2019, are being erroneously invoked to randomly redact documents and withhold information please could you give much clearer instructions specifically aimed at the several thousand tiny parish councils now facing confusion and costs over these enormous, draconian and incomprehensible regulations? Advisors do not even seem to be able to adequately explain the key questions – what is data, and what is processing?
If I can write to the Daily Telegraph and it can publish my name and the part of my address why can a parish council not do the same thing with correspondence from the public? If it is a duty of an LPA to publish the name and address of a respondent to a planning application how can it be deemed by my parish council that they cannot do the same when publishing responses to a consultation? Why does my parish council assert that an individual must not be identifiable on the minutes? How can a parish council, which is urged by you to be open, transparent and accountable, publish contact details of clerks and councillors if it feels that to publish “data” is an offence under the DPA or the GDPR? These are rhetorical questions so please do not attempt to answer them, rather please explain the very obvious failings of the GDPR and how you expect amateur parish councillors, and half trained semi professional parish clerks to reconcile these various Acts and Regulations with the far more important FOI Act?
A regrettable cloak of secrecy is descending on local government because clerks and councillors are erring on the side of caution in fear of prosecution. They need clear advice and leadership and, in my opinion, your literature on the GDPR does not help. I would also hazard to suggest that unless this is properly explained in very simple terms to the public and local authorities you will be washed away by a tsunami of petty complaints arising from widespread misinterpretation of the GDPR.