All councils have legal obligations to protect the security of data that identifies a living person (personal data). Failure to comply with these obligations could result in the council being subject to fines or other enforcement action by the Information Commissioner and the reputational damage that ensues from such enforcement actions.
Whilst the tool kit is aimed at local councils (town and parish councils and Welsh community councils), the advice should be heeded by principal authorities, especially in relation to councillor owned devices.
All councils must ensure the confidentiality, integrity and availability of all the personal data it holds, even if the data is being processed through personal email accounts or is stored on a privately-owned device. The council is accountable for any council business conducted involving personal data on any device or through any email account.
At parish level, it is likely that emails containing personal data or with attachments that contain personal data will be circulated to councillors by the clerk to the councillor’s private email addresses and stored and accessed on the councillors’ private devices.
The data protection breach risks of this are numerous, including:
- the document will become inaccurate or out of date over time,
- that it will be retained for longer than necessary,
- that it will be shared inappropriately,
- that it can be viewed by others, if others have access to the device and or private email address, and
- that it will be difficult to respond to a subject access request if the council has to search multiple devices on which the personal data may be stored.
Even in the largest unitary authority, where each councillor will have a council email address, it is likely that the email and attachments will be accessed using a councillor owned personal device and could be saved to that device or forwarded by that device.
The risks of the use of personal devices include:
- that the data will be accessed if the device is lost or stolen,
- the systems that are used to transfer data to other devices are not secure, and
- the blurring of personal and/or political use with council use.
Councils must have appropriate technical and organisational measures in place to prevent the compromising of the personal data it holds.
The council should have the following policies which all councillors should be aware of and trained on regularly:
- Document retention and disposal policy - which details how long types of documents will be held for
- Information security incident policy - which details what staff and councillors should do if the security of data is compromised, ranging from incidents of theft and lost devices to data sent to a wrong email recipient
- Personal device acceptable use policy - detailing how the device should be used for council matters, including the prohibition on saving documents to the device, the provisions that the device automatically locks if inactive for a period of time and that a device must be password protected.
These range from the complex and costly to the simple, from measures that will need to be implemented by the council’s IT section to those that a parish clerk or local authority officer can do, including:
- Registering the personal devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of device loss or theft
- Password protecting all devices, including ensuring that all councillor owned devices are password protected, to stop unauthorised access of the device
- Setting editing and printing restrictions on a document containing personal data
- Password protecting or encrypting documents sent by email
- Only uploading documents containing personal data to a secure file share app eg Dropbox or similar or onto the councillor login section of the council’s website and sending out an email notification of the upload to councillors
The ICO Local Council ToolKit can be viewed on their website. Councils should seek specialist legal advice as to the use of their data being access by councillors if they are unsure of the safety of the data.
Elisabeth Page is a solicitor in the public sector team at Geldards LLP