Criminals in our Council Chamber? You decide.

Shepway District Cllrs are Data Controllers. As a data controller one must by law, be signed up to the ICO Register of Data Controllers. To not sign up is a criminal offence, with a fine of five thousand pounds in the local magistrates court or half up to half a million pounds in the county/high court.

As Data Controllers some Cllrs in Shepway such as Cllr Dearden first elected in 2003 for Hythe Central failed to sign up for eight years. In 2011 Cllr Dearden signed up for the first time. He continues to be registered. Cllr Dearden, Berry, Jeffrey, Love, McKenna and a few others are registered too. Many sitting Cllrs have not signed up. The Council Chambers number have been reduced to thirty and new blood introduced after the recent elections. The Chamber is still controlled by the Conservatives.

Many Cllrs [not just in Shepway may I add, KCC for example] have neglected to sign up to the ICO Data Register. Cllrs are Data Controllers by virtue of undertaking constituency work and this is set out in 7(e) of the EU Data Protection Directive, it states:

7(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed

Directive 95/46/EC

This was EU legislation agreed to by the then Conservative Govt and implemented under Labour as they inherited the task to create and bring onto the Statute Book The Data Protection Act 1998.

SDC Cllrs must abide by the law of the land, the same as you or I. I have complained to the Cllrs directly, SDC, KCC, the ICO and Kent Police as it is a criminal offence not to be registered.

My Complaint raise serious points as your data, my data everyone’s data is important plus it is a commodity which can be bought or sold. My questions are in Bold. As yet I have had few replies. All Cllrs are given training by their councils, once elected, and refresher courses with regards to the DPA and are informed and advised to sign up if they undertake constituency work, but most seem to have ignored the advice.

The Complaint

Article 6 (1) (e) of the Data Protection Directive and, likewise, Article 5 (e) of Convention 108 require Member States to ensure that personal data are “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.” The data must therefore be erased when those purposes have been served.

Cllrs who have not registered with the ICO cannot be checked to see if they are complying, not by the Council, nor the ICO.

This principle establishes an obligation for the controller to keep the data subjects [you] informed about how their data are being used.

As a constituent who has used the services of Cllrs and has written to all my Cllrs and who hold my personal data they have never informed me of how any of my data is to be used.

Processing operations must be explained to the data subjects in an easily accessible way which ensures that they understand what will happen to their data. A data subject also has the right to be told by a controller on request if his or her data are being processed, and, if so, which ones.

I have requested from all Cllrs an explanation how my data will be processed. Not one of them have ever explained to me in ANY FORM what will happen to my data. I have requested how my data will be processed and came there a reply none, from the Cllrs. This breaches the directive and thus the UK legislation as well.

Controllers should document, to data subjects and to the general public, that they will process data in a lawful and transparent manner. Processing operations must not be performed in secret and should not have unforeseeable negative effects. Controllers should ensure that customers, clients or citizens are informed about the use of their data. Further, controllers, so far as possible, must act in a way which promptly complies with the wishes of the data subject, especially where his or her consent forms the legal basis for the data processing.

None of the Cllrs – as Data Controllers – have documented to me of the general public of Shepway that they are processing data in a lawful or transparent manner.As Cllrs have not be transparent all data must by the necessity that some Cllrs who have failed to sign up to theICO Register are processing data in secret and by doing so, it is impossible to gauge if this information is being used in with unforeseeable negative effect. Cllrs have not ensured that constituents are informed about the use of their data as they have failed to sign up to the ICO Register and it is not checkable.

• Accountability requires the active implementation of measures by controllers to promote and safeguard data protection in their processing activities.

If Cllrs have failed to register with the ICO how is possible to hold them accountable regarding the promoting and safeguarding of data while they are processing it?

• Controllers are responsible for the compliance of their processing operations with data protection law.

  How is it possible for Cllrs who have not registered to demonstrate their compliance with processing operations with regards to data protection law? It is simply, they cannot as they have not registered and thus in breach of the Directive and UK Legislation.

• Controllers should be able at any time to demonstrate compliance with data protection provisions to data subjects, to the general public and to supervisory authorities.

  How can a Cllr who has failed to register demonstrate at any time their compliance with data protection provisions to data subjects the general public and/or supervisory bodies? Simple, they cannot, thus are in breach of the Directive and UK Legislation. The legal obligations of public sector data controllers fall under Article 7 (e) of the directive.

  Rules on security of processing

• The obligation of controllers and processors to have adequate measures in place to ensure data security is, therefore, laid down in CoE data protection law as well as in EU data protection law. According to the relevant provisions in EU law:

• “Member States shall provide that the controller must implement appropriate technical and organisational measures to protect personal data accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network and against all other unlawful forms of against processing”.Data Protection Directive, Art. 17 (1).

• If a Cllr has failed to register how is it possible for a citizen, the general public or supervisory body [SDC] to follow an audit trail and discover if Cllrs have done any of the above? If Cllrs are not registered then they are not informing the necessary parties that they have lost, accidentally destroyed, unlawfully disclosed or accessed data? How do Cllrs dispose of their computers? Surely as it has held personal data on it it should be destroyed sufficiently to ensure the data is not recoverable, surely? Buried deep in the back of the Data Protection Act are surprisingly specific requirements for the relationship between a Data Controller and Data Processor – there must be a contract made or evidenced in writing, security guarantees given by the processor (the Council) to the Controller (the Councillor), and a reasonable check that the contract is being complied with. Where are these signed contracts with our Cllrs and who from SDC is enforcing them?

• Data security is not just achieved by having the right equipment – hardware and software – in place. It also requires appropriate internal organisational rules of the Data Controller. Such internal rules must cover the following issues:

• Who else can access Cllrs Computers? Are they shared, Cllrs are human too and have wives, partners, children, etc.

• regular provision of information to all employees, (Cllrs have no employees), about data security rules and their obligations under data protection law, especially regarding their obligations of confidentiality;

  If a Cllr as Data Controllers have not registered with the ICO how do we know they are fulfilling their obligations under data protection law especially with regard to the obligations of confidentiality? Again their is no audit trail and no one is checking the contract. Is a Cllr’s word sufficient legal evidence? No it is not. There must by law be an audit trail. The Contract and Cllrs compliance with it. Cllrs must be able to demonstrate they are complying beyond all reasonable doubt as it is a criminal offence not to comply with the Directive and UK Legislation.

• clear distribution of responsibilities and a clear outline of competences in matters of data processing, especially regarding decisions to process personal data and to transfer data to third parties;

• use of personal data only according to the instructions of the competent person or according to generally laid down rules;

• protection of access to locations and to hard- and software of the controller or

  processor, including checks on authorisation for access;

  Some Cllrs have wives, partners, children, how are citizens, the general public, supervisory bodies to know that the data sent to them by constituents [ you or I] isn’t being seen/read/discussed with these parties? Are we just to take the word of the Cllr? Is this legally sufficient? No it is not. Cllrs have computers at home, how is the citizen, general public or supervisory body to know who has access to that computer and whether that computer has sufficient security passwords – unknown to others – ensuring the security and safety of the constituents information. There is not audit trail and no one is enforcing the contract and checking that Cllrs comply.

• ensuring that authorisations to access personal data have been assigned by the competent person and require proper documentation;

  How do we know that Cllrs are fulfilling their legal obligations when it comes to proper documentation and what happens to this documentation. We do not as Cllrs have not signed up to the register, not signed a  contract, no audit trail  and are in breach of the directive and UK legislation.

• automated protocols on access to personal data by electronic means and regular checks of such protocols by the internal supervisory desk;

  Who is meant to undertake these regular checks when Cllrs have not registered with the ICO? How can these check, protocols on access to personal data by electronic means be carried out if Cllrs have failed to register. A Cllr’s word is not legally sufficient there must be an audit trail,  and a contract and how can their be an audit trail or signed contract, if Cllrs have failed to register?

• careful documentation for other forms of disclosure than automated access to

  data in order to be able to demonstrate that no illegal data transmissions have

  taken place.

  How can this be audited if Cllrs have failed to register. It leaves no audit trail and it is not checkable, this breaks the directive and UK Legislation.

• Offering adequate data security training and education to staff members is also an important element of effective security precautions. Verification procedures must also be installed in order to ensure that appropriate measures not only exist on paper but are implemented and work in practice (such as internal or external audits).

• All Cllrs are given training by their councils and regular refresher courses with regards to the DPA, If Cllrs fail to register then none of the above can leave an internal or external audit trail,  the Cllr once again  breaches  the Directive and UK Legislation. Therefore they commit a criminal offence/s. How many times is that? Quite a few I suspect.

• Measures for improving the security level of a controller or processor include instruments such as personal data protection officials, security education of employees, regular audits, penetration tests and quality seals.

• If Cllrs have failed to register how can we know when they last had a penetrative test done on their computers by the supervisory body, Shepway District Council? It would appear  if no such tests had been done then SDC would not be abiding by the contract binding both parties. Again there is no audit trail it cannot be supported by evidence.  This puts the Cllrs in breach of the Directive and UK Legislation again.

• Data breach notifications

• A new instrument for dealing with infringements of data security has been introduced in the data protection law of several European countries: the obligation of providers of electronic communications services to notify data breaches to the likely victims and to supervisory authorities. For telecommunications providers, this is mandatory under EU law. The purpose of data breach notifications to data subjects is to avoid damage: notification of data breaches and their possible consequences minimises the risk of negative effects on the data subjects. In cases of serious negligence,the providers could also be fined.

• If Cllrs are not registered how do we know if there has been a data breach as their Supervisory Body – Shepway District Council cannot undertake regular audits? Surely SDC know there must be a contract and they must enforce it?  Nor can you or I. It is not legally sufficient that a Cllr’s word would be suffice.

• Setting up internal procedures, in advance, for the effective management and

  reporting of security breaches will be necessary, as the time frame for the obligation to report to the data subjects and/or supervisory authority, according to national law, is usually rather short.

  If there are not audit trails how can one check that internal procedures by Cllrs supervisory body – Shepway District Council have been set up for Cllrs regarding security breaches? Also how would a data subject know or be informed by a Cllr that a breach has occurred on their computers?

• In 2010/2011 Shepway District Council deleted/destroyed/purged hundreds if not thousands of pieces of data and left this in the hands of individual officers of all levels to decide what information was destroyed. This matter has never been disclosed to the citizens, or the general public. It is in the public interest to disclose what was destroyed, why it was destroyed, and under whose authoritiy the purge was necessary.

• Where a data breach occurs as a result of unauthorised access, loss or destruction of data, the competent supervisory authority [SDC in Cllrs case] must be informed immediately. The subscribers must be informed where possible damage to them is the consequence of a data breach.

If Cllrs are not registered how do we know if they have been virused, hacked as there is no audit trail; and who if anyone are they informing? Or do they just stay mum?

If you have any concerns about your Cllr, [check the register through google ICO Register of Data Controller] not being registered right to them you can find their email addresses are on Shepway District Council website Click  Cllrs email addresses. Also inform  SDC CEO, alistar.stewart@shepway.gov.uk  and write to the ICO and complain to Kent Police.

The Shepwayvox Team