top of page

Do parish and town councils need to appoint Data Protection Officers?

Parish and town councils of all shapes and sizes have a legal obligation to comply with information governance legislation, including UK GDPR and Data Protection legislation, as well as Freedom of Information and the Environmental Information Regulations.

Whilst the council as a body is responsible for complying with these legislative frameworks, it is usually the Clerk, or another council officer, who has day-to-day responsbility for compliance.

However, in most circumstances, parish and town council do not specifically need to appoint Data Protection Officers (DPOs). The exception, in law, is where:

"...the core activities of the controller consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10"

In other words, it's not just about processing special category data, it's about large-scale data processing, which almost no parish or town councils does (at least, in relation to what the law describes).

Ultimately, as the data controller, it must the council's decision as to whether they need a DPO or not, but it's important to understand that the requirements of a DPO come with a very strict definition and carry specific responsibilities.

A DPO should not just be a lay person (this would include someone who may have received some level of training but isn't a specialist). A DPO should be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39 of the UK GDPR.

So whilst a Clerk or offier may have a responsibility within their job description for data protection compliance (and usually FOI/EIR compliance, too), that's not the same as a Data Protection Officer.

At Breakthrough Communications, we do not as DPOs, but rather provide comprehensive support for local councils to get their information governance obligations right.

Through our Council Hive service, we help councils deal with FOI and GPDR requests, as well as helping them receive the right training at the right time, and keeping them up to date with best practice.


bottom of page