Elisabeth Page 08 October 2019

The safety of data on councillors’ personal devices

The safety of data on councillors’ personal devices image

All councils have legal obligations to protect the security of data that identifies a living person (personal data). Failure to comply with these obligations could result in the council being subject to fines or other enforcement action by the Information Commissioner and the reputational damage that ensues from such enforcement actions.

Whilst the tool kit is aimed at local councils (town and parish councils and Welsh community councils), the advice should be heeded by principal authorities, especially in relation to councillor owned devices.

All councils must ensure the confidentiality, integrity and availability of all the personal data it holds, even if the data is being processed through personal email accounts or is stored on a privately-owned device. The council is accountable for any council business conducted involving personal data on any device or through any email account.

At parish level, it is likely that emails containing personal data or with attachments that contain personal data will be circulated to councillors by the clerk to the councillor’s private email addresses and stored and accessed on the councillors’ private devices.

The data protection breach risks of this are numerous, including:

  • the document will become inaccurate or out of date over time,
  • that it will be retained for longer than necessary,
  • that it will be shared inappropriately,
  • that it can be viewed by others, if others have access to the device and or private email address, and
  • that it will be difficult to respond to a subject access request if the council has to search multiple devices on which the personal data may be stored.

Even in the largest unitary authority, where each councillor will have a council email address, it is likely that the email and attachments will be accessed using a councillor owned personal device and could be saved to that device or forwarded by that device.

The risks of the use of personal devices include:

  • that the data will be accessed if the device is lost or stolen,
  • the systems that are used to transfer data to other devices are not secure, and
  • the blurring of personal and/or political use with council use.

Councils must have appropriate technical and organisational measures in place to prevent the compromising of the personal data it holds.

Organisational measures

The council should have the following policies which all councillors should be aware of and trained on regularly:

  • Privacy Policy - which states what type of personal data the council holds, how it stores it, how it processes it and with who it shares the data with. Some principal authorities are encouraging councillors themselves to adopt a Privacy Policy especially where councillors undertake advocacy work on behalf of members of the public in their wards
  • Document retention and disposal policy - which details how long types of documents will be held for
  • Information security incident policy - which details what staff and councillors should do if the security of data is compromised, ranging from incidents of theft and lost devices to data sent to a wrong email recipient
  • Personal device acceptable use policy - detailing how the device should be used for council matters, including the prohibition on saving documents to the device, the provisions that the device automatically locks if inactive for a period of time and that a device must be password protected.

Technical measures

These range from the complex and costly to the simple, from measures that will need to be implemented by the council’s IT section to those that a parish clerk or local authority officer can do, including:

  • Registering the personal devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of device loss or theft
  • Password protecting all devices, including ensuring that all councillor owned devices are password protected, to stop unauthorised access of the device
  • Setting editing and printing restrictions on a document containing personal data
  • Password protecting or encrypting documents sent by email
  • Only uploading documents containing personal data to a secure file share app eg Dropbox or similar or onto the councillor login section of the council’s website and sending out an email notification of the upload to councillors

The ICO Local Council ToolKit can be viewed on their website. Councils should seek specialist legal advice as to the use of their data being access by councillors if they are unsure of the safety of the data.

Elisabeth Page is a solicitor in the public sector team at Geldards LLP

Highways jobs

Governance and Assurance Manager

North Yorkshire County Council
£38,813 to £42,683
Are you someone who is methodical in approach with an eye for detail? York, North Yorkshire
Recuriter: North Yorkshire County Council

Business Development Manager (Grow Yorkshire)

North Yorkshire County Council
£34,788 to £38,813 per annum
Do you have an enterprising approach to developing solutions? Are you an exceptional communicator? York, North Yorkshire
Recuriter: North Yorkshire County Council

Enterprise Partnership Officer (Infrastructure)

North Yorkshire County Council
£34,788 to £38,813 per annum
Are you an experienced Project Manager who is methodical in your approach with exceptional attention to detail? Northallerton, North Yorkshire
Recuriter: North Yorkshire County Council

Project Lead - Housing Growth

North Yorkshire County Council
£38,813 to £42,683
Do you have a substantial understanding of the housing market and the housing planning system? York, North Yorkshire
Recuriter: North Yorkshire County Council

Communications Officer

North Yorkshire County Council
£29,636 to £32,029
Are you someone with excellent skills in communications and looking for your next challenge? York, North Yorkshire
Recuriter: North Yorkshire County Council

Local Government News

Latest issue - Local Goverrnemnt News

This issue of Local Government News explores how councils can tackle modern slavery and trafficking in their supply chains, finds out more about Cambridge's first cohousing scheme and the launch of a new project to build a shared service pattern library for local government.

This issue also contains a special focus on children's services and how councils are protecting children following local safeguarding children boards being abolished.

Register for your free magazine