How to win friends and influence people
Numpties, numpties, numpties they are all numpties
Since the General Data Protection Regulations (GDPR) were introduced on May 25th 2018, eight and half months ago, the vast majority of bodies subject to GDPR are getting it wrong. In particular they are failing to provide a simple link to their privacy policy/notice, when they acknowledge an email, for example. So it’s not just Facebook who are being digital gangsters with your data.
The vast majority of data protection officers, who can be paid as much as £80 – 90,000 pound a year are putting their organisations at risk for failure to comply with GDPR.
So why do we say they are numpties? An example best demonstrates how our Council – Folkestone & Hythe District Council – get it wrong. But we add it is not just our Council. There are many other Data Protection Officers who are failing to properly implement the GDPR for their organisations as well.
You send an Freedom Of Information request or an Environmental Information Request to our Council, they must acknowledge your FoI/EiR.
This is how Folkestone & Hythe District Council acknowledge an FoI/EiR presently.
Dear XXXXXXXXXXX
Thank you for your request dated 2X January 2019 This is being processed under the Freedom of Information Act 2000.
We will endeavour to supply the information you have requested promptly and within the requisite 20 working days. If we think that it will take longer, we will contact you.
Please ensure you leave the subject line in any correspondence sent to us in relation to this request to enable us to locate your file. The reference number for your file is shown above in the Subject Line.
Kind regards,
XXXX XXXXXX
Information Officer
Tel: 01303 XXXXXX
Mob: XXXXX XXX XXX
Folkestone & Hythe District Council, Civic Centre, Castle Hill Avenue,
Folkestone, Kent, CT20 2QY
E-mail: information.officer@folkestone-hythe.gov.uk
Website: [http://www.folkestone-hythe.gov..uk/]www.folkestone-hythe.gov..uk
This response is WRONG. It is not just the Shepwayvox Team that says this acknowledgement is wrong.
Ibrahim Hasan who is a recognised expert on data protection, freedom of information and surveillance law has set out how privacy notices need to be dealt with, and did so on May 4th 2018, three weeks before GDPR began on the 25th May.
He says in his article:
Under Article 13 of GDPR, where data is obtained directly from the Data Subject (you), the following information must be provided at the time the data is obtained (by the Council).
So when you get that acknowledgement for your FoI/EiR from Folkestone & Hythe District Council, they must provide the following:
-
the identity and contact details of the Data Controller and where applicable any representative
-
the contact details of the Data Protection Officer where applicable
-
the purposes of the processing for which the personal data are intended as well as the legal basis for processing (as per Article 6(1))
-
where the processing is based on legitimate interests (Article 6(1)(f)), the interests pursued by the Data Controller or third party;
-
the recipients or categories of recipients for the personal data (if any)
-
details of international transfers and their legal basis
However, our Council do not provide the necessary information as per the bullet points, as is clear from the real acknowledgement to an FoI/EiR, set out above. To be compliant with GDPR all they would need to do is provide a link to their privacy policy/notice in their FoI/EiR acknowledgement. However, they do not, hence are in breach of the GDPR legislation.
Leave a Reply