Skip to content

Data Protection and Community Councils

 

1. Are Community Councils required to register with the Information Commissioner’s Office?

Under the Data Protection Act, organisations that process personal information need to register with the Information Commissioner’s Office (ICO), unless an exemption applies. The Information Commissioner has determined that Community Councils do process personal data and, unless an exemption applies, are required to register (eg. a Community Council would be exempt if no electronic records were kept ie. if everything was handwritten). In relation to what data is likely to be processed, the ICO web site provides ‘nature of work’ descriptions for different types of organisation and there is one of these specifically for Scottish Community Councils. This gives a broad description of the way that a Community Council would process personal information. Community Councils can write their own description if they prefer, but the one on the ICO web site gives an indication of the likely classes of information processed, purposes and who it might be shared with. An extract of this is given below:

Reasons/purposes for processing information

We process personal information to enable us to serve and represent the interests of the community within the local area.

Type/classes of information processed

We process information relevant to the above reasons/purposes. This may include:

  • personal details
  • family, lifestyle and social circumstances
  • education and training details
  • goods and services

Who the information is processed about

We process personal information about:

  • residents of the community council area
  • elected representatives
  • suppliers
  • correspondents and complainants
  • business contacts
  • employees

Who the information may be shared with

We sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons. Where necessary or required we share information with:

  • suppliers and service providers
  • family, associates and representatives of the person whose personal data we are processing
  • educators and examining bodies
  • financial advisers
  • people making an enquiry or complaint
  • local government
  • the media

Transferring information overseas

We do not transfer any personal information outside the European Economic Area (EEA).

2. What responsibilities does the nominated person have under the Data Protection Act 1998?

The Community Council is required to nominate someone as the person responsible for data protection. The Community Council Secretary (or other nominated person responsible for data protection) is required to renew the registration annually and inform the ICO of any changes eg. change of address and contact details of organisation. It is important to note that a Community Council needs to comply with the Data Protection Act, including the eight data protection principles, whether it is registered or not.

Data Protection Principles

The ICO issued a ‘Guidance Note for Community Councils’ (date unknown), which gives a brief outline of data protection requirements (the whole document is provided in Appendix 1 to this Briefing Note and see in particular Section 8: Complying with the Data Protection Act) and further detailed, up to date guidance can be found on the ICO web site:

Data Protection Guide

3. Is the data protection registration personal eg. if the Community Council Secretary resigns and their successor fails to follow procedures does the person that registered remain responsible?

The simple answer to this is no. As mentioned above, the ICO should be informed of any changes to the contact details of the organisation and if the
Secretary steps down (as the nominated person) the ICO should be informed of this via the ICO web site:

Change data protection registration

It is important to note that the nominated person is not the Data Controller, it is the Community Council as an organisation which has this responsibility, see below:
Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be,
processed.……Data controllers are usually organisations with some exceptions e.g. Councillors… Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which is the Data controller.

Data protection key definitions guide

4. Have all of the Community Councils in West Lothian registered?

The ICO website lists which Community Councils in West Lothian have registered. West Lothian Council pays for this annual cost

Murieston Community Council Registration Number: Z2559495

The simplest way to register is to phone up the ICO (on 0303 123 1113) and they will either fill in the registration form over the phone or provide a copy by email. Most Community Councils use the ‘nature of work’ descriptions mentioned above and so the form is very simple to fill in. The ICO are able to provide advice and support as necessary with any additional queries.

THE DATA PROTECTION ACT 1998 GUIDANCE NOTE FOR COMMUNITY COUNCILS

1 Introduction

The Data Protection Act 1998 governs the use of personal data. It imposes important obligations on any persons or organisations, including Community Councils, which acquire, store, use or deal with personal data in any way. Failure to comply with the Act’s requirements can have serious legal consequences, including claims for compensation and possible criminal proceedings.
The purpose of this note is to provide Community Councils with information regarding the Act and basic guidance on how to comply with it. More detailed guidance is available from the Information Commissioner (see Part 6 below).

2 Personal Data and Sensitive Personal Data

“Personal data” means any information by which it is possible to identify a living individual (referred to in the Act as a “data subject”). Information on individuals who have died, or on companies or other corporate bodies, is not personal data. But information regarding Community Council members, local residents, individual local authority members or employees, or any other living individual, is personal data. “Sensitive personal data” means information regarding such things as an individual’s racial or ethnic origin, political or religious beliefs, physical or mental health, sexual life and commission of a criminal offence. Special rules apply to sensitive personal data. The Act regulates the processing of personal data. “Processing” means acquiring data, storing it, amending or augmenting it, disclosing it to third parties, deleting it – ie doing anything with it at all. An individual or organisation which processes personal data is known as the “data controller”.
The Act applies to personal data which is held in any kind of storage system, whether electronic or manual.

3 The Data Protection Principles

The Act sets out some basic rules regarding processing personal data, known as the Data Protection Principles. These include –

  • Data must be processed fairly and lawfully
  • Data must be obtained for one or more specified and lawful purposes, and must not be processed in any manner incompatible with those purposes
  • Data must be adequate, relevant and not excessive
  • Data must be accurate and kept up to date
  • Data must not be kept longer than necessary
  • Data must be processed in accordance with the data subject’s rights
  • Appropriate technical and organisational measures must be taken against the data’s unauthorised or unlawful use and their accidental loss, damage or destruction.

4 Data Subjects’ Rights

The Act gives important rights to data subjects, including the right –

  • To be informed that their personal data is being processed by the data controller
  • To be given access to their personal data
  • To require their personal data not to be used for direct marketing purposes
  • To require the data controller to stop any processing of their personal data which is causing substantial and unwarranted damage or distress

5 Contravention of the Act

If a data controller contravenes the Act, compensation may be payable to any person who suffers damage and distress as a result of that contravention. In some circumstances, contravention of the Act may also be a criminal offence, for which a fine may be payable.

6 The Information Commissioner

The Act is regulated and enforced by the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (not to be confused with the Scottish Information Commissioner, who enforces the Freedom of Information (Scotland) Act 2002). The Commissioner has powers under the Act to issue notices to data controllers, requiring them to provide him with information regarding their compliance with the Act, or to carry out certain steps under the Act. He also has power to carry out investigations, including the power to enter data controllers’ premises.
The Commissioner publishes detailed guidance on various aspects of the Act. That guidance is available on the Commissioner’s website at www.ico.gov.uk

7 Notification to the Information Commissioner

All data controllers are obliged by the Act to notify the Information Commissioner of the classes of personal data which they are processing, the purposes for which they are processed and the
recipients to which the data may be disclosed. This information is included in the Commissioner’s Register of Notifications, which is open to public inspection. It is a criminal offence to process personal data without first notifying the Commissioner.

8 Complying with the Data Protection Act

In order to comply with the Act, Community Councils should take the following steps –

  1. Nominate someone (eg the Secretary) as the person responsible for data protection. In many organisations, this person is referred to as the Data Protection Officer.
  2. Carry out a data protection audit – identify what personal data are held and who the data subjects are; ascertain the purposes for which the data are to be used; identify where and how the data are stored or recorded.
  3. Inform the data subjects in writing (a) that their personal data are held, and (b) the purposes for which the data are used.
  4. Ensure that personal data are properly protected – if data are stored electronically, ensure that they are password-protected and (in sensitive cases) encrypted. If they are stored manually (eg a paper filing system), ensure that the files are kept in a secure place.
  5. Ensure that personal data are never disclosed to any unauthorised third party, whether accidentally or on purpose.
  6. Periodically review the personal data that are held, making sure that they remain accurate and up to date – where necessary dispose of data that are no longer needed.
  7. VERY IMPORTANT: notify the Information Commissioner of the personal data which are being processing, the purposes for which they are processed and the recipients to which the data may be disclosed. It is a criminal offence to process personal data without having first notified the Commissioner.

Leave a Reply