Do the changes in Data Protection, May 2018 effect how Parish Councillors run their social accounts?

Question

Our council has been advised that the Clerk has to "tighten up the use of e-mails ". Please would you explain the details of this. Many thanks.

Answer 1

(Un)surprisingly there is no answer at the moment about the GDPR coming into force in May 2018.  Parish Councils are still waiting clarification from the National Association as to what they have to do.  A big issue is how to deal with emails and parish council business that is sitting on an antiquated computer with no protection, in a Councillors home.  There is no guidance on this point, just a lot of panicking clerks who understand that they should only hold onto information and personal details if they are relevant and necessary but with no idea as to how to police it.  I understand that the GDPR is still being discussed in parliament so until that has finished , everyone is waiting....

Comments

I sent the following to the CEO of the ICO on 25Feb18. I will post her answer as soon as it comes.

Dear Ms Denham,

In your FAQs at https://ico.org.uk/for-organisations/local-government/local-gov-gdpr-faqs/ you say that a small local council must appoint a DPO because it is a public authority.

EUGDPR.org says at https://www.eugdpr.org/key-changes.html at the bottom of the page “….DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.” [my emphasis][It does not show here but it was the word "only"]

The EUGDPR.org advice quite clearly does not apply to small parish councils who do not collect data, do not store data and do not process data within the meaning of the GDPR. As the Data Protection Act and the forthcoming GDPR, which anyway may be repealed after 31Mar2019, are being erroneously invoked to randomly redact documents and withhold information please could you give much clearer instructions specifically aimed at the several thousand tiny parish councils now facing confusion and costs over these enormous, draconian and incomprehensible regulations? Advisors do not even seem to be able to adequately explain the key questions – what is data, and what is processing?

If I can write to the Daily Telegraph and it can publish my name and the part of my address why can a parish council not do the same thing with correspondence from the public? If it is a duty of an LPA to publish the name and address of a respondent to a planning application how can it be deemed by my parish council that they cannot do the same when publishing responses to a consultation? Why does my parish council assert that an individual must not be identifiable on the minutes? How can a parish council, which is urged by you to be open, transparent and accountable, publish contact details of clerks and councillors if it feels that to publish “data” is an offence under the DPA or the GDPR? These are rhetorical questions so please do not attempt to answer them, rather please explain the very obvious failings of the GDPR and how you expect amateur parish councillors, and half trained semi professional parish clerks to reconcile these various Acts and Regulations with the far more important FOI Act?

A regrettable cloak of secrecy is descending on local government because clerks and councillors are erring on the side of caution in fear of prosecution. They need clear advice and leadership and, in my opinion, your literature on the GDPR does not help. I would also hazard to suggest that unless this is properly explained in very simple terms to the public and local authorities you will be washed away by a tsunami of petty complaints arising from widespread misinterpretation of the GDPR.

---

Thanks for this. Our agenda tonight has an invitation to a 3 hour seminar in Melton Mowbray by the East Midlands Councils. it is about (GDPR) General Date Protection Regulations. It is quite a long way away and Counillors wil be wondering if it is worth. As far as I am aware our systems areu p to date.

---

Here is the reply from Ms Denham


Thank you for your email received 25 February 2018.

You sent us your comments regarding how local parish councils may have difficulty fulfilling their obligations under the GDPR. You were asking us to explain “the very obvious failings of the GDPR” and how we expect amateur parish councillors, and half trained semi-professional parish clerks to reconcile these various Acts and Regulations with the far more important FOI Act.

You mentioned information about DPOs from www.eugdpr.org owned by www.trunomi.com and were comparing it with guidance from our website about DPOs. The GDPR states clearly in Article 37(1)(a) public authorities and bodies have to appoint a DPO.

However, these terms aren’t defined in the GDPR itself but in the Data Protection Bill. The Bill provides that public authorities and public bodies are those defined by the Freedom of Information Act 2000, the Freedom of Information Act (Scotland) 2002 and any authority or body specified by the Secretary of State in regulations. However, such an authority or body will only be such a public body or authority when performing a task carried out in the public interest or in the exercise of official authority vested in it.

We are aware of the difficulties faced by local parish councils regarding their obligations to appoint DPOs and this is the reason we had published our FAQs for local government.

In the coming weeks we are planning to publish GDPR guidance for micro organisations that may also be of help to small local parish councils. We have recently published an introduction to the Data Protection Bill. We also have extensive guidance of freedom of information and environmental information.

Regarding repealing GDPR, the Data Protection Bill or other data protection legislation, these are questions for the UK Government and Parliament to respond to as they are responsible for law making.

If you would like to discuss this case further, please contact me on my direct number 03304 14 6327. If you need advice on a new issue you can contact us via our Helpline on 0303 123 1113 or through our live chat service. In addition, more information about the Information Commissioner’s Office and the legislation we oversee is available on our website at ico.org.uk.

Yours sincerely

Jan Dobrucki
Case Officer
Information Commissioner’s Office
0303 123 1113 ext. 6327

I am not sure if it helps. None the wiser but maybe a little better informed.

Answer 2

This is from the ICO website.

https://ico.org.uk/for-organisations/local-government/

Answer 3

I am both a Parish Councillor and a Data Protection Officer and I really don't understand why the  clarification is taking so long from the National Association.  The requirements of the GDPR were published in 2016.  Yes, the Data Protection Bill is going through parliament which will apply the GDPR into UK law after Brexit and will also clarify some points, but the general requirements of the new legislation are well known.

Advice to tighten up the use of emails is not very helpful for you without further detail.  It could be a reference to the requirements around privacy by default and privacy by design, or it could refer to the requirements around retention of information, or perhaps to your ability to respond to individuals who want to exercise their rights of erasure, subject access etc.  

Answer 4

At a simplistic level, the Council must not reveal the e-mail address or other contact details of a member of the public without their consent.  So, for instance, if the Council issues a group e-mail, members of the public should be blind-copied rather than just cc'ed.  It should still be possible to list the names of recipients of the e-mail within the body of the e-mail to satisfy the transparency requirements.

Our parish council is being advised that they don't need to be ready for the 25 May deadline.  Consequently our Council has done no work whatsoever towards GDPR implementation.

Comments

NALC has sent a note to councils which includes the following...

the Information Commissioner’s Office (ICO) has issued a statement of reassurance setting out their views on the particular challenges facing the local council sector regarding the General Data Protection Regulation (GDPR), which we have very much welcomed. You can read the full statement in Policy Briefing PB01-18 but I wanted to draw to your attention the following section: "The Commissioner has said previously that the GDPR is a journey rather than a destination. She will be looking to councils to demonstrate that they are committed to making progress towards embedding the right processes and procedures. She wants to reassure councils that if they have a positive attitude to finding practical solutions to some of the challenges of implementation, they will find a pragmatic, fair and proportionate regulator."

HTH