Winchester Vacancies

SPOTLIGHT

A zero sum game?

The number of SEND tribunal cases is rising and the proportion of appeals ‘lost’ by local authorities is at a record high. Lottie Winson talks to education lawyers to understand the reasons why, and sets out the results of Local Government Lawyer’s exclusive survey.

In theory: local authority data retention

Data protection iStock 000011177922XSmall 146X219What are a local authority’s data retention obligations? John Atkinson talks to LexisNexis about at the practical steps councils should consider taking to ensure they do not fall foul of their legal obligations with regards to data retention schedules.

Scenario

A local city council is clearing out its offices in preparation of moving to a new site. An administrative assistant tasked with reviewing data retention schedules comes across a case file, for which the council is the relevant data controller, relating to an action taken against the council for its mishandling of a child care order. Although, the case has now been resolved the file is dated August 2006, which exceeds the council’s retention policy of seven years from the original event. The file contains information of a sensitive and personal nature, including the name and address of the child put into care and the details of the complaint made against the local council.

What regulatory actions might the local authority face if found to be in breach of its data protection obligations with respect to retention schedules?

The council may be in breach of one of the data protection principles, which could result in the Information Commissioner taking enforcement action.

The Data Protection Act 1998 (DPA 1998) prescribes a set of eight principles that organisations must observe when managing personal information. Principle 5 provides that personal data processed for any purpose shall not be kept for any longer than is necessary for that purpose. The fact that the council has not observed its own retention policy suggests that it has actually held the documents for longer than is necessary.

This file contains information of a sensitive and personal nature, including information about a child who was put into care. The Information Commissioner is likely to take a serious view of the council’s failure to observe its own retention policy in such circumstances.

The council may decide to report the breach to the Information Commissioner, who can help to ensure that it takes the right steps in response to the breach.

The Information Commissioner has a wide range of enforcement powers, including issuing enforcement and improvement notices, imposing monetary penalties or prosecuting for offences under the DPA 1998. In these circumstances, it is important for the council to take immediate action to remedy the breach and to cooperate with the Information Commissioner’s Office to ensure that its retention policy is properly applied in the future.

How should this kind of data be disposed of and is there any particular course of action you would recommend the local authority undertakes to fulfil this obligation?

If the information is held on a paper file then it should be destroyed physically, probably by shredding. If the information is held electronically then this will require the use of specialist skills. The Information Commissioner has issued detailed advice on deleting data from computers, laptops and other devices.

What steps or actions might the administrative assistant or the relevant data protection officer for the council take to ensure compliance with the company’s data retention schedule when handling such data?

The key to ensuring that data is reviewed and deleted in accordance with the council’s retention policy is to ensure that there is a systematic approach to the process. This could include an automatic reminder that a file requires review in accordance with the policy.

What training should be given to the council’s staff members to ensure they are equipped to deal with such situations?

Data protection is critical for local authorities and must be seen as a responsibility for all staff, not just the Data Protection Officer and their team.

All the council’s staff should receive appropriate training to ensure that they understand the importance of observing the data protection principles. This training should be repeated regularly to make sure that the principles are not forgotten or overlooked.

Do you have any practical advice for how the local authority can stay on top of its data retention schedule in the future, and ensure it manages all data for which it is responsible, correctly?

Lexis®PSL Local Government contains a number of Practice Notes, detailing practical activities for achieving compliance with the DPA 1998—these might be a good place to start. There is also a wealth of information and advice available on the Information Commissioner’s website. Ultimately, the local authority needs to recognise that data protection is a priority and ensure that its staff are fully trained and recognise the importance of managing personal information effectively and securely.

John Atkinson is an experienced local government lawyer and public law consultant. He was interviewed by Evelyn Reid.

This analysis was produced for LexisPSL Local Government with interviewee John Atkinson and originally published in LexisPSL Local Government. The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor. If you would like to read more quality articles like this, then register for a free 1 week trial of LexisPSL.