On 25 May 2018 new laws on data protection came into force - The General Data Protection Regulation (GDPR) - a new Europe-wide law and the 2018 UK Data Protection Act.
These two pieces of legislation set out how organisations will need to handle personal data to enhance the rights of, and give more control to, the people whose data is held. Financial penalties will be imposed on any organisation which breaches the Regulation.
It is important that Councillors understand the requirements of the law:
- When leading and scrutinising the work of the council
- When accessing the data collected and stored by the council, schools or political parties that members may access when acting as a school governor or during political campaigning.
- When collecting personal data about members of the public.
In this third context, Members are (as they were under the 1998 DPA) data controllers for any personal data they collect about members of the public. This means that they are responsible for seeking appropriate permission to gather personal data, telling people what will be done with their data, storing and disposing of data legally and informing the Information Commissioner's Office (ICO) of any breach of data security. Personal Data means:
“any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”
For example a name, telephone number or IP address. It applies to data stored both electronically or manually.
Members should ask their local Data Protection Officers about how they should process information within the law.
There is also more information specifically available from the Information Commissioner's Office, open link here, and guidance for members from the Local Government Association (LGA), open link here.
Links: Information Commissoner's Office / Local Government Association
For more information contact: Sarah Titcombe