As you may or may not know Councillors wear up to three hats in the normal course of their activities. As participants in Council Committees and decision-making, they are part of the Council. For Data Protection purposes, they are covered by the Council’s DP notification and any incident or breach involving them would be the Council’s problem. Hat number 2 comes with membership of a political party. They may sometimes receive personal data from their party for campaigning purposes. In this scenario, the party is responsible for Data Protection. The strangest hat is the one they wear as constituency representatives. Here, neither the council nor the party is responsible. The Councillor is a Data Controller in their own right.
Regarding hat number 3 NOT ALL of SDC or KCC Councillors,are registered on the ICO Data Register as they must be.
Martin Whybrow [Green Party] and others from KCC are registered on the ICO Data Register. Cllr Dearden, Love, Jeffrey McKenna, Berry and a few others from SDC are registered, the rest were not at the time of writing.
They must be by law as they are Data Controllers and hold personal data about their constituents and others. This has been confirmed by the ICO. Councillors are Data Controllers for any equipment, any email account, any electronic system that they use to communicate with their constituents.
The Council is their Data Processor in this context. Buried deep in the back of the Data Protection Act are surprisingly specific requirements for the relationship between a Data Controller and Data Processor – there must be a contract made or evidenced in writing, security guarantees given by the processor (the Council) to the Controller (the Councillor), and a reasonable check that the contract is being complied with.
In other words, if SDC Councillors are up in arms about what may or not be happening to their emails have not obtained a written contract from SDC, ensuring that SDC will act only on their instructions when handling their constituency correspondence, the Councillors are in breach of the Data Protection Act. The Council – as a data processor – is not.
It goes further. Councillors should clearly inform their constituents about the way in which their data is used. Councillors use Hotmail or Yahoo mail etc, for constituency business – I know as I have received many emails from Cllrs from Yahoo, Hotmail, Outlook, etc -, or at the very least have all of their Council emails auto-forwarded to an outside account.
This carries both security risks that might breach the 7th DP principle, but also raises the spectre of the 8th Principle, which governs how to transfer information outside the European Economic Area (many web-based email providers use servers outside Europe). Yahoo, Hotmail, Gmail, etc the route of any message can pass through other countries.
All Cllrs are given the training on this issue once elected to office, but most just ignore it thinking they’ll never be any comebacks. Many senior Council officers and IT and DP specialists will weep at the thought, and I can think of one or two who will give me a smack for bringing it up. But Councils cannot dictate to their Councillors. It is clearly logical for Councillors to use systems and kit provided to them by the Council, but ultimately, they are responsible for a big slice of the data that they use as part of their work and it’s their decision.
The Council is a processor, a service provider. Sticking with the robust corporate system is a reasonable idea, but they can work outside of it and if they do, Councillors are wholly responsible for what happens. In the meantime, any Councillor planning to kick up a fuss about emails or anything else should remember that if something goes wrong, the Council has a get-out-of-jail-free card for non-Council business.
Cllrs using accounts which go to servers overseas are in breach of the DPA. Also when a resident – for example – asks for Cllr’s emails under a Subject Access Request, they omit/exclude their personal emails as they falsely believe their emails – from their private accounts when responded to constituents – sent or received are exempt, they are not. This could mean for example – Cllrs are sending/viewing improper images, making personal comments about constituents etc. They could – for example be meeting people unbeknow to SDC/KCC with Stagecoach and SDC know nothing about it.
By not being on the ICO Data Register as a Data Controller, the fine in a magistrate court is £5000, in the County Court is £500,000 payable by the Cllr, not the Council. The cost for registering is down to the Cllr and cost £35. I hope you will draw this matter to YOUR Cllr’s attention see List of SDC Cllrs , as it is THEY WHO MUST PAY, not the taxpayers of SHEPWAY or SDC. All Cllrs in district, county and unitary authorities up and down the land need to register on the ICO Data Register. It costs 35.00 pounds [UK Sterling]. Allowances are given to SDC Cllrs for ICT [231.00], here in Shepway they receive an allowance of 3870.00 pounds, as a basic allowance, so surely thirty five pounds isn’t too much to stump up. So Come on Cllrs pay up and comply.