Recently Folkestone & Hythe District Council compliance with the General Data Protection Regulations (GDPR) was audited by the East Kent Audit Partnership (EKAP) and found to have a Limited Assurance. In effect this means there is evidence of significant errors, non-compliance due to “gaps in information” and a “lack of detail” meaning many key controls not operating as intended resulting in a risk to the achievement of the system objectives – the protection of data.
Now for the uninitiated, GDPR is NOT about privacy. GDPR is not meant to protect anyone’s privacy. The word ‘privacy’ is mentioned once in a footnote that refers to another piece of legislation (which isn’t supposed to protect our privacy either).
The two basic goals of GDPR are transparency and informing the public about how their data is being used. This use of your data must be lawful, and lawfulness can only be achieved by justifying the collection of data. This is the skeleton, this is what holds it up. It also places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability.
The EKAP audit found “gaps in information” and a “lack of detail“, which to us in unsurprising. The Council’s Data Protection Officer (DPO) is aware of the improvements that are required to strengthen the Council’s data management processes and evidence of effective data governance and is working towards this.
The Council are working towards meeting the legal obligations of GDPR, which is concerning as it would at the time of the audit mean they were not meeting their legal obligations.
Article 30 of the GDPR sets out what the Council, as a Data Controller, must maintain records of, such as processing purposes, data sharing and retention. Records must be kept in writing or electronically.
So eighteen months after GDPR was introduced (May 25th 2018) our Council still finds itself working towards the obligations of GDPR and the protection of residents data. Unbelievable!
The person in the Council responsible for GDPR is Amandeep Khroud (pictured) – Assistant Director – Governance, Law & Regulatory Services.
Cllr Lesley Whybrow (pictured) (Green) at the Audit & Governance Committee held on Wednesday 4th Dec, thankfully managed to illicit they had not lost any data. As we know this has happened on a number of occasions such as when they released the data of eighty two persons. Fifty five of those persons had their names and hourly or day rates, and more revealed unnecessarily
In March of this year we highlighted that the Council had set aside £325,000 for a potential fine. Also we highlighted the fact the Council had shared residents data with Cozumel Estates, the Council’s partner for the Otterpool Development.
In April the monitoring officer who is also the Assistant Director – Governance, Law & Regulatory Services – Amandeep Khroud was to “busy” to deal with a data breach and we now find her department are working towards meeting their GDPR obligations.
How long has our Council not been fully compliant with the GDPR? After all GDPR was introduced eighteen months ago.
What are the “significant errors” regarding GDPR?
What are the areas of non-compliance?
They have had the same time as everyone else to be compliant, so there is no excuse for the “gaps in information” and “lack of detail“. There is no excuse our Council are working towards their obligations when those obligations should have been met on the 25th May 2018.
On the 1st Nov 2019 we wrote about the privacy policies of the local political parties. We note, ten days later the local Folkestone & Hythe Labour Party registered with the Information Commmissioner’s Office, as a data controller in its own right. So the likes of Cllr Ray Field, et al collected data about local residents without obtaining consent. Under GDPR consent must be freely given, specific and informed, or it is not consent. Why didn’t they comply with their legal obligations sooner?