How to win friends and influence people

Numpties, numpties, numpties they are all numpties

Since the General Data Protection Regulations (GDPR) were introduced on May 25th 2018, eight and half months ago, the vast majority of bodies subject to GDPR are getting it wrong. In particular they are failing to provide a simple link to their privacy policy/notice, when they acknowledge an email, for example. So it’s not just Facebook who are being digital gangsters with your data.

The vast majority of data protection officers, who can be paid as much as £80 – 90,000 pound a year are putting their organisations at risk for failure to comply with GDPR.

So why do we say they are numpties? An example best demonstrates how our Council – Folkestone & Hythe District Council – get it wrong. But we add it is not just our Council. There are many other Data Protection Officers who are failing to properly implement the GDPR for their organisations as well.

You send an Freedom Of Information request or an Environmental Information Request to our Council, they must acknowledge your FoI/EiR.

This is how Folkestone & Hythe District Council acknowledge an FoI/EiR  presently.

Dear XXXXXXXXXXX

Thank you for your request dated 2X January 2019   This is being processed under the Freedom of Information Act 2000.

We will endeavour to supply the information you have requested promptly and within the requisite 20 working days. If we think that it will take longer, we will contact you.

Please ensure you leave the subject line in any correspondence sent to us in relation to this request to enable us to locate your file.  The reference number for your file is shown above in the Subject Line.

Kind regards,

XXXX XXXXXX

Information Officer

Tel: 01303 XXXXXX

Mob: XXXXX XXX XXX

Folkestone & Hythe  District Council, Civic Centre, Castle Hill Avenue,

Folkestone, Kent, CT20 2QY

E-mail: information.officer@folkestone-hythe.gov.uk

Website: [http://www.folkestone-hythe.gov..uk/]www.folkestone-hythe.gov..uk

This response is WRONG. It is not just the Shepwayvox Team that says this acknowledgement is wrong.

Ibrahim Hasan who is a recognised expert on data protection, freedom of information and surveillance law has set out how privacy notices need to be dealt with, and did so on May 4th 2018, three weeks before GDPR began on the 25th May.

He says in his article:

Under Article 13 of GDPR, where data is obtained directly from the Data Subject (you), the following information must be provided at the time the data is obtained (by the Council).

So when you get that acknowledgement for your FoI/EiR from Folkestone & Hythe District Council, they must provide the following:

  • the identity and contact details of the Data Controller and where applicable any representative

  • the contact details of the Data Protection Officer where applicable

  • the purposes of the processing for which the personal data are intended as well as the legal basis for processing (as per Article 6(1))

  • where the processing is based on legitimate interests (Article 6(1)(f)), the interests pursued by the Data Controller or third party;

  • the recipients or categories of recipients for the personal data (if any)

  • details of international transfers and their legal basis

However, our Council do not provide the necessary information as per the bullet points, as is clear from the real acknowledgement to an FoI/EiR, set out above. To be compliant with GDPR all they would need to do is provide a link to their privacy policy/notice in their FoI/EiR acknowledgement. However, they do not, hence are in breach of the GDPR legislation.

Eight and half months since the introduction of GDPR, and still our Council and many other organisations are getting this very simple issue wrong. It would not be hard to fix. We hope this will influence our Council to change their acknowledgement. We suspect this blogpost will not win us any friends in our Council.

We should not forget that Borough/City/District and County Councillors are considered to be data protection officers in their own right,  as they are data controllers in their own right and the vast majority of them are getting any response to a constituent  wrong, especially when helping in a constituent in personal capacity all they need do is link to their privacy policy/notice, if they even have one, which we suspect in the vast majority of cases, they will not. However, here is one Chelmsford City Council provide for their Councillors

So it it is NOT just Facebook who are being “digital gangsters” with our data, there are many other organisations out there who are behaving in much the same way, each time they fail to link to a privacy policy/notice in their acknowledgement to you, for example. By not doing so they are breaching the existing privacy regulations -GDPR. This is surely NOT right they do so.

The Shepwayvox Team

Not owned by Hedgefunds or Barons

About shepwayvox (823 Articles)
Our sole motive is to inform the residents of Shepway - and beyond -as to that which is done in their name. email: shepwayvox@riseup.net

Leave a Reply

%d bloggers like this: