Report for councillors: Data protection & related functions
Issued to: Town Council meeting 4th May 2020
Purpose of Report
To share information regarding the Council’s compliance with data management.
The Town Council has over some years amassed a number of policies and procedures. Many of these documents contain information that is out of date and a number of processes require review.
The current environment dictates that the Council must rely more heavily on electronic means of communication and this should be reflected in both policy and process, which should correspond to enable the Council to conduct its business in a transparent and lawful manner.
Data Management and Policy
An assessment of the policy documents has been carried out and dates for review identified. This review will take place over the coming months and will bring all corporate policies into a single corporate document that will prove easier to monitor and maintain.
Whilst the Council is required to hold remote meetings, we are required to circulate an increasing amount of data & confidential or sensitive documentation by electronic means.
The Council must comply with the General Data Protection Regulation 2018 and the Data Protection Act 2018. The two pieces of legislation work in tandem and require appropriate procedures to support them.
The legislation relates to data held about living and identifiable individuals. The information processed about these people might include contact details, services we provide to them or recordings of them.
The GDPR sets out seven key principles for the processing of data, which are:
- Data must be processed lawfully, with fairness and transparency
- Data must be collected for a specific limited purpose and not further processed in a manner not commensurate with that purpose.
- Data processed must be limited to what is necessary in relation to the purposes for which it is processed
- Data must be accurate and kept up to date
- Data must be kept in a way that identifies a data subject for no longer than is necessary for the identified purpose of processing
- Data must be processed in a way that ensures appropriate security of the data, including against unlawful and unnecessary processing and against accidental loss or destruction or damage, using appropriate technical or organisational measures.
- The data controller (the Council) is accountable and must be able to demonstrate compliance with the Principles.
The ico states that “these Principles should lie at the heart of [our] approach to processing personal data”.
Impact of data legislation
The laws apply to any councillor, member of staff or volunteer who has access to or uses data in their role for the Council. Breaches of the Principles can lead to the Data Controller (the Council) facing prosecution or public shaming that would result in a significant loss of trust by the public and other bodies in our sector.
Responsibility of the staff
It is the responsibility of the Town Clerk to assist the Council with its legal compliance and the implementation of good practice. It is also the Clerk’s role to bring to the Council’s attention any weakness in its compliance.
It is the role of line managers to ensure that personal data held within their work area is managed in a way to meet the aims of the Council’s policies and complies with the GDPR & the DPA.
All staff must be appropriately briefed or trained to be able to deal with data appropriately and lawfully.
Any data disclosed to any outside body performing a service for the Council or acting on its behalf, must include a written contract with the Council to evidence the ability of the outside body to comply with data issues, especially security.
The Council has selected a sector specific IT provider, Microshade, which has extensive security and encryption measure in place for the data it holds on our behalf. The National Association of Local Councils has assessed Microshade and subsequently appointed the provider as its partner for cyber security.
IT – staff use
All Council documents are stored within a closed system, accessible only to those with authorisation and using unique passwords. Any offline work required on a document is permitted only on Town Council owned and protected devices.
The council provides staff with email addresses operated under the same IT system, with the same protections. Staff are not permitted to download any files onto their own devices.
IT – Councillor use
The Council provides formal email addresses within a separate part of the IT framework provided by Microshade, but with equivalent protection as that used for staff emails. Email groups are set up and used by the office to reflect committee membership. It is the responsibility of the councillors to ensure they retain confidentiality of their password and control unauthorised access to the information held on their devices.
A laptop is provided to the Council Chairman/Town Mayor for the purposes of undertaking the role and accessing Council email. The laptop is password and security protected by our IT provider, but the laptop does not have access to the Council file system. Non-confidential documents can be downloaded to the device using Microsoft applications. The laptop remains the property of the Town Council and must not be used for personal business or leisure.
Unlike principal councils, the parish sector tends not to supply councillors with electronic equipment or use any form of intranet. Instead councillors usually are relied upon to provide the devices themselves. It is for the purposes of data control that the Council allocates each councillor with an email address for the transmission of all the Council’s information.
Bring Your Own Device (BYOD) – Councillors
The strict requirements on a Data Controller in respect of personal data also apply to councillors who hold data, to undertake ward work, for example. As long as individual councillors comply with appropriate management of data, without allowing breaches in security, individual councillors will be protected from the potential risks and costs associated with Subject Access Requests.
However, the ico has stated that it is important that councils whose members process data on their own devices should have in place a BYOD Policy. This is of particular importance now we are required to resort to more extensive use of electronic communications. The very nature of using own devices creates a weakness in data management, but applying appropriate policies and procedures will help mitigate any potential action and/or claim.
Please see the proposed policy accompanying this report.
If councillors using their own devices do not comply with the Council’s processes or legislation in dealing with data, there is a very real potential legal and financial risk to both them and the Council. The view of our internal auditor confirms this is not a reasonable risk for a council to face.
The ICO website has a page for local councils which makes reference to issues such as security and Bring Your Own Device policies. On this page the ICO clearly states:
“The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.”
It is my opinion, shared by the Council’s auditor, that this requirement it is very difficult, if not impossible, to comply with without the use of dedicated Council email addresses and the provision of and compliance with clear policies. The use of generic personal email addresses used on own devices would not comply with the requirements of GDPR as set out by the ICO, simply because the Council has absolutely no control over this data.
Ultimately the Council’s responsibility for data management is as big as the number of devices being used by the Council or its representatives. This means that the more devices representatives use to store and access Council data, the larger the size of the Council’s security footprint.
Existing Council practices
Assessment of the existing controls in place for the purposes of data management have revealed some weaknesses in both policy, procedure and staff/councillor interpretation of the requirements.
The parish sector is under no requirement to appoint a Data Protection Officer, but it is under a duty to carry out the function and comply with the legislation.
The Council has regular audits of its financial information and its health & safety practices. It is recommended that it also commissions a data protection audit. The audit will provide observations and recommendations required to meet compliance in a manner designed to enable staff & councillors to take immediate action to rectify any issues.
£90 DPO annual advice fee
£350 Audit fee
4057 101 budget code
Corporate Pillar 1: Engagement, Visibility and Transparency
1.1 Ensuring that we operate according to legislative and regulatory principles, whilst following ethical standards and best practice
- To adopt the BYOD Policy.
- To commission the Council’s auditor to undertake a full audit of data management.
This office is looking into the Council’s options for decreasing its data management risk, whilst making it far easier for cllrs to access the documents and services they need. A further report will follow once costings have been obtained.
Report author: Sam Winter, Town Clerk
Report Date: 27th May 2020