Numpties, numpties, numpties they are all numpties
Since the General Data Protection Regulations (GDPR) were introduced on May 25th 2018, eight and half months ago, the vast majority of bodies subject to GDPR are getting it wrong. In particular they are failing to provide a simple link to their privacy policy/notice, when they acknowledge an email, for example. So it’s not just Facebook who are being digital gangsters with your data.
The vast majority of data protection officers, who can be paid as much as £80 – 90,000 pound a year are putting their organisations at risk for failure to comply with GDPR.
So why do we say they are numpties? An example best demonstrates how our Council – Folkestone & Hythe District Council – get it wrong. But we add it is not just our Council. There are many other Data Protection Officers who are failing to properly implement the GDPR for their organisations as well.
You send an Freedom Of Information request or an Environmental Information Request to our Council, they must acknowledge your FoI/EiR.
This is how Folkestone & Hythe District Council acknowledge an FoI/EiR presently.
Dear XXXXXXXXXXX
Thank you for your request dated 2X January 2019 This is being processed under the Freedom of Information Act 2000.
We will endeavour to supply the information you have requested promptly and within the requisite 20 working days. If we think that it will take longer, we will contact you.
Please ensure you leave the subject line in any correspondence sent to us in relation to this request to enable us to locate your file. The reference number for your file is shown above in the Subject Line.
Kind regards,
XXXX XXXXXX
Information Officer
Tel: 01303 XXXXXX
Mob: XXXXX XXX XXX
Folkestone & Hythe District Council, Civic Centre, Castle Hill Avenue,
Under Article 13 of GDPR, where data is obtained directly from the Data Subject (you), the following information must be provided at the time the data is obtained (by the Council).
So when you get that acknowledgement for your FoI/EiR from Folkestone & Hythe District Council, they must provide the following:
the identity and contact details of the Data Controller and where applicable any representative
However, our Council do not provide the necessary information as per the bullet points, as is clear from the real acknowledgement to an FoI/EiR, set out above. To be compliant with GDPR all they would need to do is provide a link to their privacy policy/notice in their FoI/EiR acknowledgement. However, they do not, hence are in breach of the GDPR legislation.
Eight and half months since the introduction of GDPR, and still our Council and many other organisations are getting this very simple issue wrong. It would not be hard to fix. We hope this will influence our Council to change their acknowledgement. We suspect this blogpost will not win us any friends in our Council.
We should not forget that Borough/City/District and County Councillors are considered to be data protection officers in their own right, as they are data controllers in their own right and the vast majority of them are getting any response to a constituent wrong, especially when helping in a constituent in personal capacity all they need do is link to their privacy policy/notice, if they even have one, which we suspect in the vast majority of cases, they will not. However, here is one Chelmsford City Council provide for their Councillors
So it it is NOT just Facebook who are being “digital gangsters” with our data, there are many other organisations out there who are behaving in much the same way, each time they fail to link to a privacy policy/notice in their acknowledgement to you, for example. By not doing so they are breaching the existing privacy regulations -GDPR. This is surely NOT right they do so.
