Councillors in an increasingly digital age

Social media can be a challenging area. It remains in many respects an unregulated (even lawless) arena, with an abundance of those who are all too ‘trigger happy’. Content posted on social media has the potential to reach a wider audience than ever before, rather than being confined to the locality in which the content originated. This means that content can have a much more significant impact, with a degree of permanence.

Correct use of social media

It is becoming increasingly common for standards complaints to be made on the basis of comments councillors have made on social media. As section 27(1) of the Localism Act 2011 places a positive duty on councils to promote and maintain high standards of conduct of members and officers, councils must seek to do so wherever their members use social media.

Section 27(2) of the Act states that the code of conduct applies when members are acting in their official capacity. This can present significant grey areas in the context of social media, where the line between acting officially or in a private capacity can be a difficult one to draw.

In January 2019, the Committee on Standards in Public Life published their report ‘Local Government Ethical Standards – A Review by the Committee on Standards in Public Life’. In respect of councillors’ use of social media, it recommended that there be a rebuttable presumption that when posting on social media they are acting in an official capacity.

The use of social media to attack and harass councillors is also raised within the report from the Committee on Standards in Public Life. As a result, it is important to ensure that members are fully informed about the appropriate use of social media, the potential consequences of their posts and the measures they can take to protect themselves from abuse or harassment.

Handling online abuse

Online abuse is an unfortunate feature of modern society and is difficult to prevent in the age of social media. The growth of social media has provided an additional and largely anonymous route for individuals and groups to engage in such activity. Concerns about online abuse of councillors are growing and whilst challenge and scrutiny are key parts of democratic accountability and should be welcomed, it should nevertheless remain constructive and courteous. Some residents may feel frustrated about an issue or wish to raise a legitimate complaint; but it should always be done in a polite and respectful way.

The abuse of public servants is unacceptable and the online abuse of councillors should not be tolerated. Councillors are committed individuals who invest a huge amount of time, energy and emotion into serving their communities and the public. They don’t often receive thanks or recognition for their efforts, but should not expect abuse and harassment.

Yet elected politicians are increasingly subject to abuse, threats and public intimidation, undermining the principles of free speech, democratic engagement and debate. These issues were explored and several recommendations were made in the December 2017 Report of the Committee on Standards in Public Life into Intimidation in Public Life. These were followed in February 2018, by Prime Minister Theresa May’s announcement that the government intended to make it an offence in electoral law to intimidate candidates and campaigners. The Johnson government backtracked on this in 2022 and rejected the call for any additional legislative regulation.

However, the Elections Act 2022 did introduce the limited penalty of a disqualification order for certain offences aggravated by hostility towards a victim's status as a candidate, elected office holder, or campaigner. If an adult is convicted of a specified offence deemed to be aggravated by this hostility, a court must impose a disqualification order (unless it would be unjust). This order prohibits the individual from standing for or holding elected office for five years, in addition to any other sentence for the original offence.

Guidance

The Local Government Association has published a guide for local councillors on how to protect themselves against intimidation, how to manage physical and online abuse, together with the legal and practical remedies available. The Councillors’ Guidance to Handling Harassment, Abuse and Intimidation includes detailed advice on:

Personal safety at ward surgeries, lone working, attendance at meetings and home visits
Managing, reporting and blocking abuse on social media
How local authorities can support councillors
What the law says around balancing freedom of speech and its limitations, and on physical intimidation.

The way in which members respond to a particular online post or to a repetitive troll requires personal judgment. Circumstances will vary and each post may require a different response depending on the nature and subject matter of the message, the history of the individual and the subject matter. Indeed, members need to be particularly careful about what they post online themselves. However, if a social media comment is defamatory, threatening or becomes harassment, they can take action and report it.

The legal position

The law is very clear. Threats to kill, rape, of serious violence, stalking and damage to property are all criminal offences. Intimidating behaviour and harassment, whether face to face, online, by letter or telephone is also a criminal offence. Even if it does not result in a criminal investigation or conviction it is important that the collective scale of the issue is reported.

Sending electronic communications to constituents

Issues presented by the digital age are not confined to social media. With the introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), everyone is now operating in an environment of heightened awareness of information privacy rights.

Practical impact

There may be occasions when members might want to set up an email circulation list for a weekly newsletter or other communications to their constituents. Do they need to email the residents first to ask them if they are agreeable to you using their email address for this purpose?

In short, the answer is yes. Elected representatives and their parties should not use contact details for direct marketing unless they are sure that the constituents concerned would expect that contact from them and would not object. Specific consent is needed from constituents in the case of marketing emails, text messages or automated calls.

In terms of obtaining consent to send an electronic newsletter, members may already have a ‘bank’ of email addresses for their constituents where they have previously corresponded with them. In that case, they do need their consent in order to send them a newsletter or other communication in order to comply with the DPA. An email seeking such consent would suffice as it serves as a record of consent.

Members’ responsibilities

Keep evidence of consent – who, when, how and what they told people.
Keep consent under review and refresh it if anything changes.
Act on consent withdrawals as soon as possible – document the process establishing time periods for when this is undertaken.

How to construct a notice of consent and conditions

Make the consent request prominent, concise and easy to understand. Include as follows:

your name
the name of any third parties who will rely on the consent
why you want the data
what you will do with it
that individuals can withdraw consent at any time
ask individuals to actively opt in
don’t use pre-ticked boxes, opt-out boxes or other default settings
if possible give separate (‘granular’) options to consent to different purposes and different types of processing

What wording do members need to use on their websites and other communications when people sign up for their email list?

If you are gathering email contact details you must clearly explain the purposes for which you will use this information, in order to ensure that you are fair and transparent.
If you plan to send emails promoting political views to individuals, this will constitute direct marketing. Therefore, the individual must agree to you contacting them for this purpose via this particular channel.
When seeking consent to such communications, you must prominently and clearly explain what you are asking them to agree to so that their choice to provide you with their details is fully informed.
In all email communications you must identify yourself and provide a mechanism that individuals can use to object and request that you do not send them any further communications, such as an unsubscribe option.

You also need to be aware that your circulation list should not be shared but if you do then you will need to make it clear and inform your constituents as per the points above.

Registration with the Information Commissioner’s Office (ICO)

Since 1 April 2019, councillors are no longer required to register with the ICO and are exempt from paying a registration fee, unless they process personal data for purposes other than the exercise of their functions as an elected representative. Members may therefore still need to register with the ICO in their private capacity if they are conducting other business that falls under being a legal entity, e.g. if they run their own business and it falls within the criteria for registration.

Further relevant ICO guidance is here:

https://ico.org.uk/media/for-organisations/documents/1589/promotion_of_a_political_party.pdf

https://ico.org.uk/media/for-organisations/documents/1432067/advice-for-elected-and-prospective-councillors.pdf

Use of personal email addresses and devices

The majority of parish clerks attending the Society of Local Council Clerks Leadership in Action Conference 2019 ranked the use of personal email addresses and devices for council business as their top data protection concern.

The GDPR and the DPA don’t say which email systems or devices should be used. But if you use your personal email address and/or device to undertake council business, you should be aware of the risks and the council’s data protection obligations and responsibilities.

Duties

Councils must ensure the confidentiality, integrity and availability of all personal data they hold, even if the data is being processed through personal email accounts or is stored on a privately-owned device.
Councils must also process personal data securely – which is more difficult to achieve if it’s being processed through personal email accounts or is stored on privately-owned devices.
Councils must have ‘appropriate technical and organisational measures’ in place to prevent the personal data it holds being accidentally or deliberately compromised. This includes physical and organisational security measures and also cybersecurity. If data is shared around multiple devices this introduces more points of failure and vulnerability.
Councils must demonstrate that they are GDPR-compliant, and the use of personal email accounts and privately-owned devices make this more complicated.

As data controller, the council has obligations relating to the confidentiality, integrity and availability of all personal data it holds. This means that the council is accountable for any council business conducted involving personal data on any device or through any email account.

As data controller, the council must also ensure that all processing of personal data under its control remains compliant, regardless of the ownership of the device used to carry out the processing.

The use of personal devices and email accounts raises the risk that personal data could be processed for different purposes from which it was originally collected. All members of the council should therefore ensure they know their responsibilities in terms of only using personal data for the purposes which the council obtained it.

Risks

The data protection breach risks of a member using their personal email address or device are numerous, including:

documents may become inaccurate or out of date over time
they may be retained for longer than necessary
they may be shared inappropriately
they may be viewed by others, if others have access to the device and or private email address
they may make it difficult to respond to a subject access request and Freedom of Information requests if the council has to request that searches are made on multiple devices on which council data is stored
the device may not be secure e.g. password-protected, and there may be an increased risk of malware
if the device is lost or stolen, it may not be capable of being remotely located and the data wiped
the data may be accessed if the device is lost or stolen,
systems that are used to transfer data to other devices may not be secure
the blurring of personal and/or political use with council use

Consequences

Failure to comply with these obligations could result in the council being subject to fines or other enforcement action by the ICO, and both the council and the individual member concerned suffering the reputational damage that ensues from such enforcement actions.

Solutions

The principle of accountability requires the council to be able to demonstrate that it is complying with the GDPR and have appropriate policies and processes in place.

If personal devices or email accounts are being used, it should have effective organisational policies in place to ensure that the associated risks are managed. All members should be aware of the policies their implications, including via training, monitoring and audits.

Measures that may be implemented by the council’s IT section to reduce the risks associated with members using their personal email addresses or devices, include:

Registering the personal devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of device loss or theft
Password-protecting all devices, including ensuring that all councillor-owned devices are password protected, to stop unauthorised access of the device
Setting editing and printing restrictions on a document containing personal data
Password-protecting or encrypting documents sent by email
Only uploading documents containing personal data to a secure file share app, e.g. Microsoft teams, OneDrive or SharePoint, or onto the councillor login section of the council’s website and sending out an email notification of the upload to councillors

But by far the best way to reduce the risks is for members to only use the email addresses and devices issued to them by the council in order to access and process official council business.

Geoff Wild is a Legal and Governance Consultant. He is celebrating his 40th anniversary as a local government lawyer.

This is the latest in a series of articles Geoff has written – previous contributions include: