Information watchdog identifies three key GDPR compliance challenges for town and parish councils

The Information Commissioner’s Office has set out what it considers to be the three GDPR compliance challenges for town and parish councils.

In a blog on the watchdog’s website Senior Policy Officer Stacey Egerton said such councils had been keen to demonstrate their compliance following the advent of GDPR in May 2018 but had needed support to achieve this.

Egerton said the focus was now “shifting to a new phase from basic compliance with the law, towards accountability and a real evidenced understanding of the risks to individuals in the way they process data and how those risks can be mitigated”.

The ICO had seen evidence of good practice across the board “but we know there’s a lot more to do”.

The watchdog has carried out engagement work around the GDPR, speaking to more than 50 local councils to help address their concerns, identify pitfalls and gain a better understanding of how they are run.

The top three challenges for town and parish councils in the eyes of the ICO are:

  1. Own devices – Holding personal data on personal laptops or mobile phones and the use of non-council email addresses by councillors instead of the council system. The ICO has produced a fact sheet for local councils on the use of personal email addresses and devices.
  2. Data audits – Retention of information ‘just in case’ it could be useful does not mean it is necessary or proportionate to hold on to it, Egerton said. “Councils could benefit by giving their records a good spring clean, deleting or destroying old data sets that have built up over time. Parish councils often don’t have formal handover processes in place which ensures clerks who are moving on hand over relevant data to the new clerk – and delete or destroy the rest”. The ICO has produced a data audit and retention resource pack which has been designed to help clerks and others think about the personal data their council is processing.
  3. Data sharing – Councils struggle with knowing how to share data appropriately with services such as leisure centres. “They worry about potential conflicts between different pieces of legislation, and aren’t sure whether to publish residents’ names in council minutes, or how to redact them.” The ICO has set out six steps to data sharing in local councils.

Egerton said the ICO had also worked with parish council clerks through the National Association of Local Councils (NALC) and the Society of Local Council Clerks (SLCC) to understand the issues they face and provide consistent advice

“Through steady engagement we’ve seen councils grow in confidence and by encouraging others in the sector to follow their lead, parish councils will be better placed to be compliant – and be less likely to face action by the ICO,” she said.

“It’s important that data protection remains high on the agenda within the sector and we hope that NALC and SLCC will continue taking this work forward to maintain the confidence that has developed.”

The ICO’s resources for local councils can be found here.