As a parish or town council you will be aware of the need to follow the strict rules around processing peoples 'personal data'.
The UK GDPR requires all 'data controllers', including local councils, to process personal data with care, and in line with the data protection principles set out in law.
Personal data includes any information that can identify someone, or make them identifiable, and it must relate to them.
For parish and town councils, personal data can relate to your council's staff, your councillors, your service users, members of the public - and more.
The upshot is the compliance regime parish and town councils have become used to, including the need to:
Identify the reasons you process peoples data
Risk assess harm to their rights and freedoms by your processing activities
Document the lawful basis you will rely on to allow you to undertake what you need to do to run your council
Service individuals' rights requests under the legislation, such as Subject Access Requests
Maintain a suite of informative policies and documentation to explain what you do with their information and why you do it
Publish a council-specific Privacy Notice that summarises much of the above
But it could be tougher still, save for one section of the UK Data Protection Act 2018...
Section 7 of the 2018 Data Protection Act provides specific relief to parish councils by exempting them from one of the requirements that are imposed on larger authorities.
This section says that parish and town councils are not automatically required to employ a Data Protection Officer*.
Look at that, I just saved you a salary!
However, there may be times when you are required to hire a Data Protection Officer for other reasons, such as large scale processing of Special Category Data or Large Scale Monitoring of the public, so it might not be a total exemption for you, but for most parish councils it is at least one requirement of the UK GDPR that doesn't apply.
But before you reach for the Prosecco and throw a “GDPR is nothing to do with our council” party, remember that 99% of the rules still apply to parish councils.
Lawful processing, purpose limitation, data minimisation, strategies for ensuring accuracy, correct retention periods, security and documentation as well as compliance with all the rights given to people over their data are all still applicable.
So it's worth putting the Prosecco back in the fridge and checking your compliance first before you go popping the cork... 😊
At Breakthrough Communications, we don't act as Data Protection Officers for councils. Instead, we provide Data Protection Reviews, as well as Data Protection and FOI Advice and Support services.
This means we're here whenever you need us, without the HR or administrative burden of a salaried member of staff. More importantly, we're independent, impartial and experts in local government.
* Data Protection Officer - designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. They may be a staff member with expert knowledge, or fulfil the tasks on the basis of a service contract. Duties include informing and advising the organisation and the employees who carry out processing of their obligations, monitoring compliance, awareness-raising, training of staff involved in processing operations, providing advice where requested as regards the data protection impact assessments, cooperating with the ICO and acting a a contact point for the ICO on issues relating to processing.