New data protection regulations - Group Leader's Comment - 9 February 2018

New EU regulations designed to protect personal information come into force on 25 May. They apply regardless of Brexit as they will be adopted into British law under the Great Repeal Act.


This week our lobbying right up to the wire has resulted in an extra £150m for adult social care and £15m for rural services. 

We have not let up on our pressure. Ninety-five per cent of councils are planning to raise tax levels. Local needs are rising, yet funds from central Government have been withdrawn. Councils are doing all we can, but there is still the £5.8bn gap by 2020. If all councils put up Council Tax by the maximum amount, it would only raise just over half a billion, not enough to keep even essential services for local people. We need to keep all of our business rates, shared out correctly. 

As I have written about recently, tighter data protection is on the way. A number of members have been in touch with us about this. That is why the Independent Group is holding a seminar for members on the new regulations on 23 March. We are also working hard to find and signpost useful information about how this new regime applies, specifically, to councillors.

New EU regulations designed to protect personal information come into force on 25 May. They apply regardless of Brexit as they will be adopted into British law under the Great Repeal Act.

Effectively the current Data Protection Act (DPA) will be replaced by the EU’s General Data Protection Regulation (GDPR). It applies to any personal data (for example, residents' details) that you hold, and punishments for those who fail to comply are substantial – maximum fines are four per cent of global turnover or 20,000 Euros, whichever is higher (though the Information Commissioner has sought to assure people that the law is not simply about fines).

At the same time, elected members are encouraged to keep in touch with their residents. We need to listen to residents and keep people informed about what we are doing on their behalf on issues that matter to them. Political parties keep a great deal of data on residents and their interests in order to target their messages.

We already need permission to keep personal data but now we need ‘explicit’ permission and to keep a thorough record of how and when that consent was given. If you pass on the contacts to a third party, such as MailChimp, that also needs to be included in the permission given. Many organisations now have a pop-up on their website inviting people to sign up for the newsletter, thus recording the request at the same time (RSPB for example).

The right to be forgotten means we must have an easy way to unsubscribe and the response must involve the person being taken off the database altogether, not just that particular mailing list.

People also now have the right to know within 72 hours if there are any breaches of data. Hackers have been targeting smaller organisations and even individuals, which are seen as a softer touch. 

Councils need a comprehensive audit and training. Legal advice to date suggests that councils will be able to keep data essential to do their job, with or without permission. For example, records of fundamental data of past and present staff in the pension scheme are needed to fulfil our statutory role. 

The escape valve seems to be in social media, where people sign up or unfollow as they choose and the data is not held by you. The art of getting many followers for the right reasons will need to be honed, but is done very successfully by a number of our councillors. Writing carefully on important local websites is often very effective. It is worth checking which social media pages are likely to have the hot conversations after a planning meeting, for example. 

Since people now communicate in many different ways, we need to be versatile or we risk missing what is going on under our noses. Many councillors keep up a regular round of public events, surgeries and good old-fashioned regular knocking on doors. Some of our members put one evening a week aside to knock on doors and deliver leaflets. Having a strategic plan of messages and time set in the diary to follow up on issues raised seems to be a favourite tip from our members. However, if we are collecting data, we need to make sure we can evidence permission!

Resources

Dealing with the new EU General Data Protection Regulation 

Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now 

LGA: General Data Protection Regulation (GDPR) 

LGC: Guide to GDPR for local authorities 

The Knowledge Hub is where local government staff and councillors come together to converse, ask and answer questions, offer opinion and share documents. There are 828 registered users and the Information Commissioner’s Office and the NHS health and social care information Governance Board also keep a watching eye on content and feed.

The recent GPDR briefing events at the LGA are available for viewing as a series of podcasts.