Agenda item

(Local Councils) To receive a presentation from the Data Protection Officer of Epping Forest District Council, on the Council’s preparations for the introduction of the General Data Protection Regulation in May 2018.

Members received a presentation from S Tautz, the Data Protection Officer and Democratic Services Manager, on the Council’s preparations for the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018. Brexit would have no impact on the GDPR. Most of the Data Protection Act 1998 properties were being carried forward into the GDPR, which was progressing through Parliament. The main difference between the Act and the GDPR was that organisations would have to be able to show compliance to the GDPR. This would incorporate the appointment of a Data Protection Officer (mandatory for a public authority), technical and organisational measures, maintaining records of processing activities and DP impact assessment and DP by design/default. We are all data subjects. New rights would strengthen existing ones, particularly over the loss of personal data.

The Data Protection Officer (DPO) advised local councils that they would need to be able to demonstrate compliance. They would need to look at their organisation’s security measures. For instance, here all the laptops / computers were encrypted, and staff would check for ‘tailgaters’ through security controlled doors. They would need to look at who they held information about and to actively communicate with those people. As data controllers, they would need to build in new processes, if a risk was identified.

There must be a lawful basis for the processing of personal data and the GDPR placed a higher threshold on the processing of data by consent. How consent was sought, obtained and recorded needed to be reviewed. Consent must be freely given with the individual’s agreement and consent must be specific, informed and unambiguous. The processing of data covered everything, including processing nothing. There was therefore a very high standard that would have to be met. The DP policies would require more information at the point of data collection. It must be very clear how the different data was kept and there would be a requirement / commitment to delete. All information provided must be concise, easy to understand and clear language used in all communications. Organisations were required to correct inaccuracies. Individuals could request information to be erased, the ‘right to be forgotten’, in certain circumstances,. If direct marketing was used, which this Council was not particularly active in, an individual must be able to seek intervention by a human being.

On subject access the rules would change. The compliance period for replying to a subject access request would be one calendar month instead of the current 40 days. The £10 charge currently levied under the DPA did have some deterrence, but this would change as usually no charges would apply under the GDPR. In certain circumstances subject access requests could be refused. However, if any requests were manifestly unfounded or excessive, charges could be levied. Authorities would need to demonstrate why there would be a fee, or why this request was being refused.

Procedures for data breaches were in place at this Council. Breach notification procedures were coming in, not for all breaches but those where individuals would be likely to suffer some form of damage. Thus the Information Commissioner’s Office (ICO) would require organisations to self-report the more serious breaches within 72 hours from when the breach was first reported, irrespective of weekends or public holidays.

On data protection impact assessments, it was good practice to adopt privacy by design. Privacy impact assessments would become a legal requirement under the GDPR for some projects. When personal data was going to be used in new / alternative ways it was good practice to ensure DP was considered as part of the design and built into the processes

Enforcement under the GDPR would introduce increased administrative fines for non-compliance. There had been some scaremongering in the press on fines the ICO could impose but this was in reference to the top end of fines, and could not be imposed on this Council as it did not hold that volume of personal data. Not all infringements would lead to serious fines as the ICO could use other sanctions as a means to enforce the GDPR, such as warnings, reprimands, a temporary / permanent ban on data processing, rectification or erasure of data.

The Council was currently getting its DP arrangements in order. It was a fairly intensive period with officers busy identifying all processing activities running into the hundreds. The Council was identifying its legal basis for processing, but as a local authority much would be carried out on a statutory basis. This also involved who it was sharing the data with, including third parties, and reviewing all privacy notices so that they had an enhanced transparency requirement. The ICO had developed an information sheet for organisations, ’12 steps to take now’, to help them make a start in planning on how to comply by 25 May 2018. The regulator was also issuing new guidance on a daily basis, which could be viewed at the link below:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

A question and answer session followed from members.

Councillor A Lion said it was an interesting presentation but how did the DPO see his role in offering support to local councils, to which the Democratic Services Manager replied that he did not have this role within his remit as he did not have the capacity to offer that support.

Councillor S Jackman asked which local council representative could be a DPO if the clerks could not take on this role, perhaps the Responsible Financial Officer. The Democratic Services Manager replied that the only advice he could give related to the District Council. He suggested that guidance was available from the ICO. On general advice he said that the DPOs could not scrutinise themselves. Therefore the DPO was prohibited from controlling or influencing how personal data was processed or be part of the senior management of an authority. Councillor S Jackman asked how long should local councils wait for clarification on this, to which the Democratic Services Manager said that the ICO would need to address this.

Epping Town Councillor L Burrows asked about local councillors as data controllers and sought advice on this. The Democratic Services Manager said that individual councils should evaluate if laptops used in public needed to be encrypted. Our 58 councillors are data controllers as is the Council. Members would receive personal data to fulfil their role. As an example, members on licensing panels received personal data on people’s convictions. Members would have electorate information. However, the security arrangements set up for this Council were for our members and officers only. Local councils would have to have their own procedures.

North Weald Parish Council Clerk S De Luca recommended local council members read the Essex Association of Local Councils (EALC) email sent earlier today, as it gave some guidance on this. Local councils were data controllers and any of their staff that processed data were data processors. The Democratic Services Manager advised that this was a matter for individual local councils. The requirement to be registered as a data controller with the ICO and pay the fee was changing under the GDPR.

The Democratic Services Manager said he would be happy to email his presentation to any members / local council members, upon request.

The Chairman thanked S Tautz for addressing the meeting.