Elisabeth Page 08 October 2019

The safety of data on councillors’ personal devices

The safety of data on councillors’ personal devices image

All councils have legal obligations to protect the security of data that identifies a living person (personal data). Failure to comply with these obligations could result in the council being subject to fines or other enforcement action by the Information Commissioner and the reputational damage that ensues from such enforcement actions.

Whilst the tool kit is aimed at local councils (town and parish councils and Welsh community councils), the advice should be heeded by principal authorities, especially in relation to councillor owned devices.

All councils must ensure the confidentiality, integrity and availability of all the personal data it holds, even if the data is being processed through personal email accounts or is stored on a privately-owned device. The council is accountable for any council business conducted involving personal data on any device or through any email account.

At parish level, it is likely that emails containing personal data or with attachments that contain personal data will be circulated to councillors by the clerk to the councillor’s private email addresses and stored and accessed on the councillors’ private devices.

The data protection breach risks of this are numerous, including:

  • the document will become inaccurate or out of date over time,
  • that it will be retained for longer than necessary,
  • that it will be shared inappropriately,
  • that it can be viewed by others, if others have access to the device and or private email address, and
  • that it will be difficult to respond to a subject access request if the council has to search multiple devices on which the personal data may be stored.

Even in the largest unitary authority, where each councillor will have a council email address, it is likely that the email and attachments will be accessed using a councillor owned personal device and could be saved to that device or forwarded by that device.

The risks of the use of personal devices include:

  • that the data will be accessed if the device is lost or stolen,
  • the systems that are used to transfer data to other devices are not secure, and
  • the blurring of personal and/or political use with council use.

Councils must have appropriate technical and organisational measures in place to prevent the compromising of the personal data it holds.

Organisational measures

The council should have the following policies which all councillors should be aware of and trained on regularly:

  • Privacy Policy - which states what type of personal data the council holds, how it stores it, how it processes it and with who it shares the data with. Some principal authorities are encouraging councillors themselves to adopt a Privacy Policy especially where councillors undertake advocacy work on behalf of members of the public in their wards
  • Document retention and disposal policy - which details how long types of documents will be held for
  • Information security incident policy - which details what staff and councillors should do if the security of data is compromised, ranging from incidents of theft and lost devices to data sent to a wrong email recipient
  • Personal device acceptable use policy - detailing how the device should be used for council matters, including the prohibition on saving documents to the device, the provisions that the device automatically locks if inactive for a period of time and that a device must be password protected.

Technical measures

These range from the complex and costly to the simple, from measures that will need to be implemented by the council’s IT section to those that a parish clerk or local authority officer can do, including:

  • Registering the personal devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of device loss or theft
  • Password protecting all devices, including ensuring that all councillor owned devices are password protected, to stop unauthorised access of the device
  • Setting editing and printing restrictions on a document containing personal data
  • Password protecting or encrypting documents sent by email
  • Only uploading documents containing personal data to a secure file share app eg Dropbox or similar or onto the councillor login section of the council’s website and sending out an email notification of the upload to councillors

The ICO Local Council ToolKit can be viewed on their website. Councils should seek specialist legal advice as to the use of their data being access by councillors if they are unsure of the safety of the data.

Elisabeth Page is a solicitor in the public sector team at Geldards LLP

For your free daily news bulletin
Highways jobs

Director of Children's Safeguarding and Care 

Gloucestershire County Council
Up to £116,391, plus relocation support
We are looking to fill this vital role at a very important time for us.  Our children’s services team is on an important journey of... Gloucestershire
Recuriter: Gloucestershire County Council

Corporate Director

Ceredigion County Council
£97,294 - £104,086
We are looking to recruit an ambitious and truly transformational leader to support the delivery of modernised and sustainable services to... Penmorfa, Porthmadog
Recuriter: Ceredigion County Council

Street Works Co-ordinator

Lincolnshire County Council
£21,153 - £23,791
Do you want to make a difference to how Street Works are managed within Lincolnshire? Lincolnshire
Recuriter: Lincolnshire County Council

Community Co-ordinator (Health inequalities)

Brent Council
£32,418 - £34,209 p.a. inc.
The successful candidate will have evidenced experience of working in a community environment. Brent, London (Greater)
Recuriter: Brent Council

Homelessness Prevention and Relief Officer

Brent Council
£32,418 - £34,209 p.a. inc. (pro-rata)
You must have an understanding of homelessness legislation, and an ability to learn legislation quickly with training, coupled with... Brent, London (Greater)
Recuriter: Brent Council

Public Property

Latest issue - Public Property News

This issue of Public Property examines how how flexible workspaces can lead the way in regeneration for local authorities, Why local authority intervention is key to successful urban regeneration schemes and if the Government’s challenge of embracing beauty is an opportunity for communities.

The March issue also takes a closer look at Blackburn with Darwen Council's first digital health hub to help people gain control over health and care services.

Register for your free digital issue