By Stacey Egerton, Senior Policy Officer

14 August 2019

The advent of the GDPR in May 2018 brought new data protection obligations for many organisations. Some of this presented a challenge, particularly for smaller organisations like parish and town councils, who we saw were keen to demonstrate their compliance but needed support to achieve this.                     

Now, well into the second year of the GDPR, it’s clear that organisations have woken up to the importance of getting privacy right and the new rights that the GDPR delivers, with increased protection for the public and increased obligations for organisations.

But the focus is shifting to a new phase from basic compliance with the law, towards accountability and a real evidenced understanding of the risks to individuals in the way they process data and how those risks can be mitigated. We’ve seen evidence of good practice across the board but we know there’s a lot more to do.

My colleagues and I have been working extensively with town and parish councils to help them with their compliance. For example, we’ve carried out a lot of engagement work around the GDPR, speaking to more than 50 local councils to help address their concerns, identify pitfalls and gain a better understanding of how they are run.

As a result of this work, we’re pleased to be launching a number of bite-sized resources which address the top three GDPR compliance challenges that we identified through the feedback we gathered from the sector.

  1. Own devices – Holding personal data on personal laptops or mobile phones and the use of non-council email addresses by councillors instead of the council system. Check out our fact sheet for local councils on the use of personal email addresses and devices.
  1. Data audits – Retention of information ‘just in case’ it could be useful doesn’t mean it’s necessary or proportionate to hold on to it. Councils could benefit by giving their records a good spring clean, deleting or destroying old data sets that have built up over time. Parish councils often don’t have formal handover processes in place which ensures clerks who are moving on hand over relevant data to the new clerk – and delete or destroy the rest. Download our data audit and retention resource pack which has been designed to help you think about the personal data your council is processing.
  1. Data sharing – Councils struggle with knowing how to share data appropriately with services such as leisure centres. They worry about potential conflicts between different pieces of legislation, and aren’t sure whether to publish residents’ names in council minutes, or how to redact them. Read the ICO’s six steps to data sharing in local councils.

We’ve also worked with parish council clerks through NALC and SLCC to understand the issues they face and provide consistent advice. We’ve attended NALC and SLCC national events to raise awareness of the GDPR and data protection and found out more about issues they faced and what kind of support they needed.

Through steady engagement we’ve seen councils grow in confidence and by encouraging others in the sector to follow their lead, parish councils will be better placed to be compliant – and be less likely to face action by the ICO. It’s important that data protection remains high on the agenda within the sector and we hope that National Association of Local Councils (NALC) and the Society of Local Council Clerks (SLCC) will continue taking this work forward to maintain the confidence that has developed.

View our resources for local councils at ico.org.uk/CouncilResources.

Stacey Egerton

Stacey Egerton is a Senior Policy officer in the ICO’s Public Services Engagement Team. Stacey leads the stakeholder engagement for local government and has worked very closely with the local council sector in relation to the new data protection legislation, focusing particularly on the issues and challenges being faced by the sector and improving overall compliance.