Information Commissioner's Office
Blog: Three top issues for town and parish councils
The advent of the GDPR in May 2018 brought new data protection obligations for many organisations. Some of this presented a challenge, particularly for smaller organisations like parish and town councils, who we saw were keen to demonstrate their compliance but needed support to achieve this.
Now, well into the second year of the GDPR, it’s clear that organisations have woken up to the importance of getting privacy right and the new rights that the GDPR delivers, with increased protection for the public and increased obligations for organisations.
But the focus is shifting to a new phase from basic compliance with the law, towards accountability and a real evidenced understanding of the risks to individuals in the way they process data and how those risks can be mitigated. We’ve seen evidence of good practice across the board but we know there’s a lot more to do.
My colleagues and I have been working extensively with town and parish councils to help them with their compliance. For example, we’ve carried out a lot of engagement work around the GDPR, speaking to more than 50 local councils to help address their concerns, identify pitfalls and gain a better understanding of how they are run.
As a result of this work, we’re pleased to be launching a number of bite-sized resources which address the top three GDPR compliance challenges that we identified through the feedback we gathered from the sector.
- Own devices – Holding personal data on personal laptops or mobile phones and the use of non-council email addresses by councillors instead of the council system. Check out our fact sheet for local councils on the use of personal email addresses and devices.
- Data audits – Retention of information ‘just in case’ it could be useful doesn’t mean it’s necessary or proportionate to hold on to it. Councils could benefit by giving their records a good spring clean, deleting or destroying old data sets that have built up over time. Parish councils often don’t have formal handover processes in place which ensures clerks who are moving on hand over relevant data to the new clerk – and delete or destroy the rest. Download our data audit and retention resource pack which has been designed to help you think about the personal data your council is processing.
- Data sharing – Councils struggle with knowing how to share data appropriately with services such as leisure centres. They worry about potential conflicts between different pieces of legislation, and aren’t sure whether to publish residents’ names in council minutes, or how to redact them. Read the ICO’s six steps to data sharing in local councils.
We’ve also worked with parish council clerks through NALC and SLCC to understand the issues they face and provide consistent advice. We’ve attended NALC and SLCC national events to raise awareness of the GDPR and data protection and found out more about issues they faced and what kind of support they needed.
Through steady engagement we’ve seen councils grow in confidence and by encouraging others in the sector to follow their lead, parish councils will be better placed to be compliant – and be less likely to face action by the ICO. It’s important that data protection remains high on the agenda within the sector and we hope that National Association of Local Councils (NALC) and the Society of Local Council Clerks (SLCC) will continue taking this work forward to maintain the confidence that has developed.
View our resources for local councils at ico.org.uk/CouncilResources.
Latest News from
Information Commissioner's Office
SMOs must “prepare for all scenarios” to maintain data flows when UK leaves the EU11/09/2019 14:20:00
The ICO has urged businesses to “prepare for all scenarios” as it publishes dedicated guidance to help small and medium sized organisations prepare for the possibility that the UK leaves the European Union with no deal.
Information Commissioner’s Office issues warning about historical personal details accessed through work06/09/2019 12:25:00
An ICO investigation into the actions of two former Metropolitan Police Service (MPS) officers has concluded.
Statement on the High Court judgement on the use of live facial recognition technology by South Wales Police04/09/2019 13:25:00
An ICO spokesperson responded to the statement on the High Court judgement on the use of live facial recognition technology by South Wales Police
Data minimisation and privacy-preserving techniques in AI systems22/08/2019 12:20:00
Reuben Binns, our Research Fellow in Artificial Intelligence (AI), and Valeria Gallo, Technology Policy Adviser, discuss some of the techniques organisations can use to comply with data minimisation requirements when adopting AI systems.
Statement: Live facial recognition technology in King's Cross19/08/2019 15:25:00
Statement from Elizabeth Denham, Information Commissioner, on the use of live facial recognition technology in King's Cross, London.
Statement: Live facial recognition technology in Kings Cross16/08/2019 10:10:00
Statement from Elizabeth Denham, Information Commissioner, on the use of live facial recognition technology in Kings Cross, London.
ICO launches consultation on the draft framework code of practice for the use of personal data in political campaigning09/08/2019 14:20:00
The Information Commissioner's Office (ICO) is consulting on a new framework code of practice for the use of personal data in political campaigning.
Blog: Protecting children online: update on progress of ICO code07/08/2019 15:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 07 August 2019.
Fully automated decision making AI systems: the right to human intervention and other safeguards06/08/2019 10:25:00
Reuben Binns, our Research Fellow in Artificial Intelligence (AI), and Valeria Gallo, Technology Policy Adviser, discuss some of the key safeguards organisations should implement when using solely automated AI systems to make decisions with significant impacts on data subjects.