We have witnessed a sharp decline in public trust across all sectors. Every year, the Edelman Trust Barometer surveys tens of thousands of people across the globe about their level of trust in business, media, government and NGOs. This year was the first time the study found a decline in trust across all four institutions. In fact, the majority of respondents from the UK (60%) believe that these institutions have failed them.
As processors of large amounts of personal data – much of it sensitive information – local authorities must maintain the highest standards if they are to retain and indeed regain public trust. With the upcoming General Data Protection Regulation (GDPR), and the recent announcement that a new Data Protection Bill will transfer GDPR into UK law, local authorities need to be on the front foot to ensure they are fully compliant. Especially because for the majority of the population, their engagement and interaction with government is at a local level.
The new legislation has been designed to put control of personal data firmly back into the hands of the citizen. These changes provide all organisations, and particularly local government bodies, with an unmissable opportunity to improve and strengthen public trust.
To help local councils prepare for GDPR, MyLife Digital and Civica Digital analysed the Privacy Policies of 137 local authorities to see how they comply with the incoming regulations. The analysis shows that good practice is out there. But there are some areas of concern and many councils still have work to do before May 2018, when the regulations become law.
The research identified gaps in compliance using a benchmark combining rulings of the Information Commissioner’s Office (ICO) from 2016 and the forthcoming requirements of GDPR. In fact, there were nine specific criteria against which we measured the 137 local authorities.
The findings include:
• 34% do not clearly mention the collection of personal data.
• 38% do not mention how data will be used.
Improvements need to be made. The ICO confirmed that 10% of all data protection concerns received in 2015 related to local authorities. They also released a report following the Local Government Information Governance Survey in March 2017 stating a quarter of councils don’t have a data protection officer, a mandatory requirement for public authorities under GDPR, 15% do not have data protection training for employees who process personal data and a third don’t do privacy impact assessments.
Nearly all (98%) of privacy policies did not clearly mention any profiling from the use of personal data. With data driving so many decisions about the provision of services and/or resources, the public have a right to be concerned about how their personal data could be used.
Local authorities should be explicit about how personal data is used and what decisions are derived from the analysis of such data. Especially if personal data is combined with other publicly available information.
Another concern identified was that many councils have no data sharing policy – which the ICO confi rmed at 37%. This is despite the increasing need to share data for effective delivery of services, often carried out by outsourced third parties or other Government departments. For example, a local authority shares information with the Department of Work and Pensions to process a pensioner’s application for housing benefit. The ICO has produced helpful guidance for local government in the form of a local authority information sharing and data protection checklist.
Three-quarters (74%) of the privacy policies we reviewed failed to give details of how long data is kept on record. The current regulation and guidance from the ICO says data should be retained for ‘no longer than is necessary for the purpose you obtained it for’. It is essential that local authorities consider how long data will be retained, and can show consideration has been given and documented.
Other elements researched include contact details for the data controller and how data is collected. Both areas that will be enforced under GDPR.
Of course – as with any new regulations – becoming compliant is inevitably going to involve some increase to work, time and cost. Yet, if done in the right way, the opportunity it creates to strengthen trust and to deliver shared value will outweigh these issues.
Now is the time not just to protect your local authority, but to go a step further to deepen public trust.
Keith Dewar is group marketing and product director at MyLife Digital