GDPR has been in the news a lot lately, and rightly so. It makes some significant changes to data protection law in the UK (and elsewhere), as well as making some practices compulsory that were previously merely recommended best practice.
I’m not going to try and provide a detailed analysis of GDPR here. But, from conversations with council colleagues, I felt that it might be helpful to go over a few of the aspects of it that are most likely to affect local councillors.
The ICO’s guidance
The ICO’s position is that councillors should register as data controllers. So far, this advice hasn’t been tested in court. However, my understanding of the relevant legislation is broadly the same, and I’m certainly not going to argue with the ICO’s legal team.
However, there are issues here. Registration is not free. And, while principal and county councillors get an allowance which, in most cases, more than covers essential costs such as this, parish councillors don’t. It can be hard enough to get people to stand for parish councils as it is, and making them pay for the privilege of being elected (or co-opted) is hardly going to help. I would hope that the ICO would recognise this, and introduce a free tier of registration for unpaid elected members of public bodies.
Another problem with a lot of the ICO’s published guidance is that it repeatedly refers to “businesses”. That can be misleading, as it implies that non-business users of data – such as councillors – aren’t affected by GDPR. But that’s the wrong way round. GDPR applies to everyone unless their use falls under one of the defined exemptions. And council work isn’t one of them. So GDPR definitely does apply to councillors, and councillors need to understand how it affects them.
Consent is not everything
You will, I’m sure, have been bombarded by emails from various organisations asking you to re-consent to getting communications from them. And you may have seen stories on social media of even more extreme examples, such as GP surgeries asking for consent to send you appointment reminders by SMS.
However, a lot of this is unnecessary, and results from a misunderstanding of the law. The one thing you absolutely do need explicit consent for is sending marketing material electronically (eg, by email or SMS). As a councillor, that will affect you at election time as election material is deemed by the ICO to be marketing. So you can only send campaign emails to people who have explicitly opted in to receive them. But that is only a tightening up of existing best practice, so, unless you have previously been sailing close to the wind, that’s not going to be an issue.
Lawful use of data
You do not, though, need to get explicit consent to process the data of people who contact you in our role as a councillor asking you to help them with a problem or to report an issue with council services. If someone has asked you for help, it is obviously in their interests for you to help them, and in your interests to do so effectively.
So in this case, your justification under GDPR for processing their data (including communicating with them) is what the legislation calls “legitimate interest”. And your council, if and when you pass the complaint or issue on to them, will be able to act under the “public task” justification. (So, actually, might you; the ICO’s guidance isn’t entirely clear on this point and, again, it has yet to be tested in court). Neither of those require consent.
One thing you can’t do, though, is take the details of someone who has contacted you in your role as a councillor because they are asking for your help, and then use them for other purposes. In particular, you can’t use them for electioneering, as that’s marketing (see above).
Security matters
What really does matter is data security. GDPR significantly toughens up the rules about how you look after data in your possession, including a requirement to notify the ICO if your suffer from a data breach and considerably greater penalties for any shortcomings in your security practices.
This is probably the single biggest effect that GDPR will have on councillors, and an effective understanding of data security is essential.
Councillors, by nature of the role, will inevitably be in possession of other people’s personal data. And in many cases, this will extend to what the legislation refers to as “sensitive” data – for example, health records, religion, even an individual’s politics! So you need to take care to ensure it is stored securely.
What is an appropriate form of security will vary according to circumstances, and there’s no one-size-fits-all solution. But these are some things that form a good starting point:
- Paper records (including written correspondence) should be stored in a lockable filing cabinet.
- Portable devices (iPads, laptops, etc) should be protected by, at minimum, a secure password and/or PIN.
- Where possible, personal data stored on a device should be encrypted so that it is unreadable even if the device is dismantled and the storage removed. If that isn’t possible, try to avoid storing sensitive data on the device’s local storage at all. It’s safer to use it as a means of accessing a remote, and secure, data store.
- Every account that you have on any local device (such as a laptop) or external system (such as an email provider, or a council intranet) should have a strong, unique password known only to you. Check your passwords against have I been pwned.
- Do not share your passwords with anybody else. Where there is a genuine requirement for someone else to have access to personal data that you control, then give them their own access to it rather than letting them share yours.
Storage and retention
Don’t store data longer than you need to. Obviously, how long that is will depend very much on circumstances. This is another aspect where confusing and, in some cases, downright misleading information has been doing the rounds of the Internet. You certainly don’t need to delete every email immediately after you’ve read it and shred every letter before sunset.
Again, this is where the reasonable expectations of residents will come into it. People who need to contact you a second time regarding an issue will clearly expect that you still have their previous correspondence. And people who contact you regularly (and all councillors will have those!) will, often, expect you to be able to instantly recall every detail of everything they’ve contacted you about in the past!
So don’t go overboard on cleaning out data that has a reasonable prospect of being needed again. But, equally, don’t be a data hoarder. For email, have a standard retention period on your main inbox, but then move stuff you need to keep to a separate mailbox that doesn’t get automatically deleted (and review its contents regularly). For paper correspondence, have a regular sort out of stuff you need to keep and stuff you don’t. And shred the latter.
Backups
On the other hand, you should make sure that your data is securely backed up. This is standard IT good practice anyway, but the more important your data is, the more it matters.
The key word here, though is “secure”. Backups have to be kept separately to the device that they are backing up, but they need to be kept in a secure location that only you have access to. If you are storing them offsite (always a good idea), then use a service which encrypts your data so that even the providers of your backup service can’t read it.
Don’t let backups become long term archives. That’s not what they’re for. Backups are a snapshot of your current live files, so that, if something happens to your laptop, or your iPad, or whatever, you can recover them. If you no longer need to store data locally, then it doesn’t need to be in the backups either.
Email is a particular issue for councillors as it has become pretty much the default means whereby we communicate with each other, with officers and with residents. Good data security practices apply to email as much as anything else, but there are some additional factors to consider.
Don’t use a shared email account for council-related email. If you are fortunate enough to be able to have staff helping you on casework, then giving them delegated access to your email is acceptable (although bear in mind that you are still responsible if they screw up). But don’t use an email account that’s shared with someone else. None of these “Mr and Mrs Jones” or “The Bloggs Family” type accounts. Council email should always be on an individual account that you, and you alone, control.
Ideally, council email should be separate to your personal email. If your council provides councillors with email addresses (eg, in the form of your.name@council) then make sure you use that exclusively for council work. If not, then I’d recommend getting a separate email address specifically for council work. It’s easy enough (and free) to create an address at any of the major webmail providers, such as Gmail and Live Mail, and their security is good enough for this kind of use. But be wary of smaller providers that may not fully encrypt mail stored on their servers.
Take GDPR seriously – but don’t listen to the hype
There are a lot of scare stories about GDPR doing the rounds. Most of those revolve around the false belief that GDPR requires consent for every form of data processing. That is so untrue as to be laughable. But it is, nonetheless, a common misapprehension. Another common misbelief is that GDPR only applies to email marketing. That’s not true; it applies to every form of personal data processing (unless covered by an exemption).
However, we are still in the early days of GDPR, and many of its aspects haven’t yet been tested in court. Until then, we don’t know which side of the line some edge cases will fall. And council work is, unfortunately, the sort of thing which is likely to generate those edge cases, as it isn’t as easily classifiable as most commercial uses of personal data.
ICO guidance, and case law, will inevitably evolve in the light of circumstances which need to be tested.
What that means is that keeping up to date with the current interpretation and best practice of GDPR is as important for councillors as keeping up to date with, for example, planning policy and licensing law.
Resources
Don’t just take my word for it. There are plenty of online resources that will help you navigate GDPR. Here are a few of them.
- Despite its tendency towards ambiguity at times, the ICO’s guidance should be your first port of call – especially the section on legitimate interest, since that’s likely to be the most appropriate justification for most data processing by councillors.
- The Data Matters blog from law firm Mishcon de Reya has a lot of relevant GDPR content.
- The Data Protection Network’s guide to GDPR is aimed primarily at businesses, but has a lot of relevance for non-commercial users of data as well.
- Another blog worth following for GDPR content is Information Rights and Wrongs.
- The 2040 Training Guide to Fundraising and Data Protection, while aimed primarily at charities, has a lot of useful advice for everybody.
- The National Cyber Security Centre has a lot of good advice on almost every aspect of digital and online security, including a section on GDPR.