Follow us on Twitter

Complainants personal info given to Council

0 votes
Clerk has sent out an email from a MOP raising concerns about the Council and parish in general. The email contains the complainants email address, name and home address. Is this a breach of data protection? The Cllrs are all using their own email addresses. There are no policies at all in operation at this Council.
asked by (320 points)

3 Answers

+1 vote

Hi Helen,

This I am afraid is a grey area. The GDPR legislation isn't as black and white as many had hoped. Until that happens there will, I guess by some understanding for genuine and low-level errors.

In response to your specific question - The Clerk should have asked themselves the following question: Do the Councillors NEED that information? (In this case, email address - in other cases could be the name and address). The short and simple answer is no. The Clerk, being the employee of the council and the initial recipient of the email is the only person who needed that information. The Clerk should have simply copied and pasted the content of the email redacting any information that could be considered personal and therefore unnecessary.

That said if you were to report the breach to the Information Commissioners Office they would ask two initial questions...

1. Have you contacted the person who submitted the email to explain it was passed to Councillors?

2. By sharing the email address in the way that you did has it caused any damage to the person who emailed i.e. increased unwarranted marketing calls, harassment or a danger to life for example?

The answer to number two is probably little to none for the example you have described and therefore the ICO would be unlikely to investigate. It would, however, log the incident to ensure this is not repeated.

Actions you need to take are:

1. Inform the Clerk and the Council that it is a breach.

2. Request that the Clerk email the person that sent the email explaining that they had sent it to all Councillors by mistake and that it will not be repeated.

3. Request that the Clerk creates a GDRP policy (Urgently) and have it signed off and implemented by the council.

4. If the above does not happen then explain to the council that you will report the incident to the ICO.

I reiterate this is a low-level breach which can be remedied very easily and very quickly but it is important to understand that it is still a breach.

Hope this helps.

answered by (3.7k points)
Thanks Chloe for your response which is exactly how i understand the regs. The Clerk is being very defensive and cannot see what she has done wrong stating Council need to know that it is a genuine complaint hence the personal details given out.
I always believed that the Clerk was a point of contact but any correspondence sent was actually for 'The Council'. How could the council deal with a complaint or issue unless they are told about it? The sender has happily given their details and I would imagine are happy for these to been seen by The Council not just the Clerk. I would much prefer to have an email forwarded to me rather than have bits of it copied and pasted. What if a bit was missed out?
Hi Jann,
The point is being somewhat missed her. The full council do not need to know the complainants email address, this is a point of the GDPR legislation. People only need to know what they need to know basically.
The information that the full council need to know in this case is the body of the email (The complaint). And email can be forwarded from someone and have their email address redacted.
I totally appreciate how silly the breach sounds but many European laws seem odd. However the point still stands that technically it is a breach because the full council did not need to know the email address.
However, as I also mentioned because the risk of harm is minimal the ICO would probably only advise to strengthen the councils own policies and procedures regarding the way it handles data.
0 votes

 In response to Chloe's point 4, I don't believe the sharing of the details meets the ICO's criteria for reporting. 

The 'data controller' here is the Parish Council and the information has been shared with its officers.  For a breach to be reportable, there has to be a realistic probability of harm as a result. I would suggest that it would have been within the reasonable expectation of the complainant that their information might be shared with councillors and whilst some information could have been redacted, I'd suggest that it is information which councillors are entitled to know and therefore there has been no unauthorised access.

However, that said, the Parish Council is required to have appropriate security measures in place, and I would be concerned about the use of personal email accounts by Councillors. In the event that one of those is hacked, the ICO is likely to be interested both in your assessment of the risk this presents and in the extent of any training or guidance received by Councillors on data protection matters.

answered by (830 points)
As a Solicitor I can confirm it IS a reportable offence as is ANY unauthorised use of personal date. Referencing other details within my response I said the likelihood of the ICO taking action is extremely slim.
Hi Chloe,  I'm always keen to learn so I'd be interested to understand what leads you to that conclusion? I've always referred to the GDPR and the ICO guidance below, both of which state that only breaches that meet the risk threshold require reporting. What have I misinterpreted or overlooked?

Article 33 of the GDPR says "In the case of a personal data breach, the controller shall.... notify the personal data breach to the supervisory authority... únless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".

This is reinforced in the ICO's guidance which says "When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk..... If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it".
Hi Smallb34r

I sincerely hope your point is to learn further rather than be flippant as this really is a platform for learning and sharing.
As I clearly stated in my initial response and in my subsequent responses - information (Email address) has been shared where it is unnecessary to do so = breach!

As we do not know the content of the complaint nor whether the complainant is known to a Councillor personally in some capacity we can only assume in our responses. Having spoken to our internal contact at the ICO today I can confirm what I stated earlier...

A risk assessment should be done by the Clerk in regards to what risk the breach has had. It is highly likely that the risk is extremely minimal but this won't always be the case and therefore policy is needed. Minimal risk is still a risk never the less.
I clearly pointed out in my step approach what should have internally to the parish council and what the submitter can do should the Clerk still be dragging their feet. There are several examples of email addresses being forwarded and serious consequences occurring as a result, that is why it can't simply be ignored.
GDPR is a grey area and the ICO will be the first to admit that they too have to learn as they go along because of potential conflicts between the previous more detailed Data Protection Act and the more vague GDPR - yet the latter comes with stronger penalties.
That is why legal teams such as my own are paid to pick through the bones of legislation.

Hope that clarifies for you.
Thank you. The Clerk has now informed Council via an unrecorded meeting that the Chairman will have limited access to sensitive information. The complainant was the Chairmans husband. No movement on emails or policy. Is this legal?
Hi Helen

I sense you’re in a difficult position here. To help you move forward as a council I suggest you email the ICO explaining the situation and asking for best practice advice.

Although you’ve been given it here I think you need to provide the council with information direct from the ICO.

Other than that report any breaches and tell the council “I told you so” when they receive fines etc.
0 votes
The Council has a legal duty to comply with the GDPR 2018 regulations.  If it is true that "There are no policies at all in operation at this Council" means there is no data protection duty, the Information Commissioner should be informed.  Personal data can be provided to Councilllors, but consent must be given by the complainant for this via a declaration that the appropriate privacy notice has been read and accepted.  https://ico.org.uk/global/privacy-notice/
answered by (11.8k points)
The complainant is the husband of a Cllr. The clerk shared the email to all cllrs. Technically it was not a complaint but comments and concerns about the Council.

Welcome to Town & Parish Councillor Q&A, where you can ask questions and receive answers from other members of the community. All genuine questions and answers are welcome. Follow us on Twitter to see the latest questions as they are asked - click on the image button above or follow @TownCouncilQA. Posts from new members may be delayed as we are unfortunately obliged to check each one for spam. Spammers will be blacklisted.

You may find the following links useful:

We have a privacy policy and a cookie policy.

Google Analytics Alternative