Chief Planner warns local planning authorities on GDPR and data protection

May 17, 2018

The Chief Planner has written to local planning authorities (LPAs) to remind them of the importance of complying with their data protection responsibilities when they exercise their planning functions.

In a letter Steve Quartermain said LPAs were advised to review the way in which they processed personal data in light of the EU General Data Protection Regulation (GDPR).

The GDPR, which will be directly applicable in the UK with effect from 25 May 2018, will repeal the Data Protection Directive, which was implemented by the Data Protection Act 1998. The Data Protection Bill, once it comes into force, will supplement the GDPR. The Regulation introduces new obligations on data controllers and data processors.

The Chief Planner said: “Planning is primarily focussed on regulating the use of land, however, information will be received by local planning authorities which contains personal data. In some cases, that data will be both personal and contain one or more of the categories of sensitive information which are subject to additional safeguards. Local planning authorities are likely to be data controllers for the purposes of the GDPR and are responsible for decisions on how personal data is processed.

“The recent First-Tier Tribunal decision and fine concerning breach of data protection requirements in relation to publication of sensitive personal data in a planning application highlighted the importance of having in place appropriate technical and organisational measures against unauthorised or unlawful processing of personal data.”

In January this year the First-tier Tribunal upheld the Information Commissioner’s decision to impose a monetary penalty on Basildon Borough Council for publishing sensitive personal information about a family in planning application documents that were made publicly available online. However, it did halve the fine from £150,000 to £75,000, saying the ICO had not given sufficient weight to certain points in mitigation and not taken into account others.

In his letter Quartermain pointed LPAs to the webpage of the Information Commissioner’s Office dedicated to EU data protection reform. This includes information directed at local authorities.

He added that the PARSOL guidance which was prepared in 2006 and refers to the Data Protection Act 1998 was now out of date, and had been removed from the GOV.UK website.

“To further assist local planning authorities ensure their processes are robust, the Planning Advisory Service, in consultation with the Information Commissioner’s Office, are leading a cross sector group preparing guidance on the processing of personal data in relation to planning applications,” he said.