Local councillors who handle personal data must check if they need to register as a data controller or risk a fine of up to £5,000.
Most councillors are likely to hold personal data for a variety of purposes. They need to ensure that procedures are in place for data protection security measures and that they are adequately resourced.
The Information Commissioner’s Office (ICO) is writing to councillors across the country to urge them to check if they are fulfilling their legal requirements under the Data Protection Act.
Over 6,000 councillors are currently registered with the ICO, but a further 13,000 are potentially not fulfilling their obligations.
Simon Entwisle, Director of Operations at the ICO, said:
“Most councillors have regular access to the personal information of the residents they represent. Like all organisations who handle people’s information, it is of paramount importance that they take their responsibilities under the Data Protection Act seriously.
“We will be writing to councillors with advice on whether they need to notify with the ICO. Those who fail to notify with us when required may face enforcement action.”
While not all councillors will need to notify with the ICO, failure to do so when required is a criminal offence and, if convicted, defendants can face a fine of up to £5,000 in the Magistrates Court or an unlimited fine in the Crown Court.
In determining whether they need to notify, councillors need to consider the role in which they are processing personal information. If doing so as a member of the council or as a representative of a major political party, councillors will not normally be required to notify with the ICO. However, when carrying out their role as a representative of the residents in a ward or an independent councillor who is not affiliated to any political party a councillor may need to notify.
Example of recent ICO monetary penalties for non Data Compliance as of 22nd November 2010:
- A monetary penalty of £60,000 was issued to employment services company A4e Limited for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester. View PDF of the A4e monetary penalty notice
- A monetary penalty of £100,000 was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. View PDF of the Hertfordshire County Council monetary penalty notice
The Information Commissioner’s Office has issued data protection guidance for elected and prospective members of local authorities. It includes information about notification.
This good practice note here www.ico.gov.uk/for_organisations/sector_guides/political.aspx aims to provide elected and prospective members of local authorities with guidance about how the Data Protection Act 1998 (the Act) applies to them.
The Act regulates the holding and processing of personal information that relates to living individuals and which is held on computer or, in some cases, on paper.
Organisations or individuals that process personal information covered by the Act may need to notify the Commissioner about their processing. A description of the processing activities is placed on a public register of notifications. These organisations or individuals must also comply with eight data protection principles which together form a framework for the proper handling of personal information.
Individuals whose personal information is processed have rights under the Act, for example, to a copy of the information that is held about them. Examples of how a councillor may use personal information and whether this would require them to register with the ICO are included below:
- as a member of the council – Councillors may have access to, and process, personal information in the same way as employees. In this case it is the council rather than the elected member that determines what personal information is used for and how it is processed. For example, if a member of a housing committee has access to tenancy files to consider whether the local authority should proceed with an eviction, or when a member of a licensing committee has access to an application for a taxi licence, they are carrying out the local authority’s functions. In this case the elected member does not need to notify in their own right.
- as a representative of the residents in their ward – Councillors are likely to have to notify in their own right – for example, if they use personal information to timetable surgery appointments or take forward complaints made by local residents.
- as a representative of a political party, for instance as an office holder -Councillors are entitled to rely upon the notification made by the party. When individuals campaign on behalf of political parties to become the elected members for a particular ward, they can rely on the parties’ notification, if the party determines how and why the personal information is processed for the purpose of their individual campaigns. Individuals who are not part of any political party but campaign to be an independent elected member for a particular ward need to have their own notification. There is an exemption from notification if the only personal information which is processed takes the form of paper records.
The annual fee for notification is £35. Notification can be made by either visiting the ICO website or by contacting the ICO helpline on 01625 545 740.
This article has been read 666 times!