Information Commissioner's Office
Blog: Three top issues for town and parish councils
The advent of the GDPR in May 2018 brought new data protection obligations for many organisations. Some of this presented a challenge, particularly for smaller organisations like parish and town councils, who we saw were keen to demonstrate their compliance but needed support to achieve this.
Now, well into the second year of the GDPR, it’s clear that organisations have woken up to the importance of getting privacy right and the new rights that the GDPR delivers, with increased protection for the public and increased obligations for organisations.
But the focus is shifting to a new phase from basic compliance with the law, towards accountability and a real evidenced understanding of the risks to individuals in the way they process data and how those risks can be mitigated. We’ve seen evidence of good practice across the board but we know there’s a lot more to do.
My colleagues and I have been working extensively with town and parish councils to help them with their compliance. For example, we’ve carried out a lot of engagement work around the GDPR, speaking to more than 50 local councils to help address their concerns, identify pitfalls and gain a better understanding of how they are run.
As a result of this work, we’re pleased to be launching a number of bite-sized resources which address the top three GDPR compliance challenges that we identified through the feedback we gathered from the sector.
- Own devices – Holding personal data on personal laptops or mobile phones and the use of non-council email addresses by councillors instead of the council system. Check out our fact sheet for local councils on the use of personal email addresses and devices.
- Data audits – Retention of information ‘just in case’ it could be useful doesn’t mean it’s necessary or proportionate to hold on to it. Councils could benefit by giving their records a good spring clean, deleting or destroying old data sets that have built up over time. Parish councils often don’t have formal handover processes in place which ensures clerks who are moving on hand over relevant data to the new clerk – and delete or destroy the rest. Download our data audit and retention resource pack which has been designed to help you think about the personal data your council is processing.
- Data sharing – Councils struggle with knowing how to share data appropriately with services such as leisure centres. They worry about potential conflicts between different pieces of legislation, and aren’t sure whether to publish residents’ names in council minutes, or how to redact them. Read the ICO’s six steps to data sharing in local councils.
We’ve also worked with parish council clerks through NALC and SLCC to understand the issues they face and provide consistent advice. We’ve attended NALC and SLCC national events to raise awareness of the GDPR and data protection and found out more about issues they faced and what kind of support they needed.
Through steady engagement we’ve seen councils grow in confidence and by encouraging others in the sector to follow their lead, parish councils will be better placed to be compliant – and be less likely to face action by the ICO. It’s important that data protection remains high on the agenda within the sector and we hope that National Association of Local Councils (NALC) and the Society of Local Council Clerks (SLCC) will continue taking this work forward to maintain the confidence that has developed.
View our resources for local councils at ico.org.uk/CouncilResources.
Latest News from
Information Commissioner's Office
Statement regarding the government’s initial response to Online Harms White Paper consultation13/02/2020 09:10:00
Elizabeth Denham, Information Commissioner, yesterday gave a statement regarding the government’s initial response to Online Harms White Paper consultation.
Joint statement warning FCA-authorised firms and insolvency practitioners to be responsible when dealing with personal data10/02/2020 09:10:00
Joint statement from the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) (07 February 2020).
ICO celebrates excellence in data protection with third annual award for practitioners05/02/2020 12:25:00
The Information Commissioner is looking for data protection practitioners who have made an outstanding impact within their organisation.
Statement on data protection and Brexit implementation – what you need to do30/01/2020 12:25:00
The UK will leave the European Union on 31 January and enter a Brexit transition period.
ICO launches latest phase of privacy innovation grants programme29/01/2020 12:25:00
Applications are now open for the third round of funding from the Information Commissioner’s Office’s (ICO) grants programme.
Data Protection Day 202028/01/2020 11:43:00
The ICO marked this year’s annual Data Protection Day (27 January 2020) by highlighting data sharing resources and guidance.
ICO statement in response to an announcement made by the Metropolitan Police Service on the use of live facial recognition24/01/2020 15:15:00
In October 2019 we concluded our investigation into how police use live facial recognition technology (LFR) in public places.
ICO's blog on its information rights work23/01/2020 16:10:00
Colleagues from the ICO’s access to information and compliance department share their experiences and involvement in raising awareness of our regulation of access to information legislation.