Elisabeth Page 08 October 2019

The safety of data on councillors’ personal devices

All councils have legal obligations to protect the security of data that identifies a living person (personal data). Failure to comply with these obligations could result in the council being subject to fines or other enforcement action by the Information Commissioner and the reputational damage that ensues from such enforcement actions.

Whilst the tool kit is aimed at local councils (town and parish councils and Welsh community councils), the advice should be heeded by principal authorities, especially in relation to councillor owned devices.

All councils must ensure the confidentiality, integrity and availability of all the personal data it holds, even if the data is being processed through personal email accounts or is stored on a privately-owned device. The council is accountable for any council business conducted involving personal data on any device or through any email account.

At parish level, it is likely that emails containing personal data or with attachments that contain personal data will be circulated to councillors by the clerk to the councillor’s private email addresses and stored and accessed on the councillors’ private devices.

The data protection breach risks of this are numerous, including:

  • the document will become inaccurate or out of date over time,
  • that it will be retained for longer than necessary,
  • that it will be shared inappropriately,
  • that it can be viewed by others, if others have access to the device and or private email address, and
  • that it will be difficult to respond to a subject access request if the council has to search multiple devices on which the personal data may be stored.

Even in the largest unitary authority, where each councillor will have a council email address, it is likely that the email and attachments will be accessed using a councillor owned personal device and could be saved to that device or forwarded by that device.

The risks of the use of personal devices include:

  • that the data will be accessed if the device is lost or stolen,
  • the systems that are used to transfer data to other devices are not secure, and
  • the blurring of personal and/or political use with council use.

Councils must have appropriate technical and organisational measures in place to prevent the compromising of the personal data it holds.

Organisational measures

The council should have the following policies which all councillors should be aware of and trained on regularly:

  • Privacy Policy - which states what type of personal data the council holds, how it stores it, how it processes it and with who it shares the data with. Some principal authorities are encouraging councillors themselves to adopt a Privacy Policy especially where councillors undertake advocacy work on behalf of members of the public in their wards
  • Document retention and disposal policy - which details how long types of documents will be held for
  • Information security incident policy - which details what staff and councillors should do if the security of data is compromised, ranging from incidents of theft and lost devices to data sent to a wrong email recipient
  • Personal device acceptable use policy - detailing how the device should be used for council matters, including the prohibition on saving documents to the device, the provisions that the device automatically locks if inactive for a period of time and that a device must be password protected.

Technical measures

These range from the complex and costly to the simple, from measures that will need to be implemented by the council’s IT section to those that a parish clerk or local authority officer can do, including:

  • Registering the personal devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of device loss or theft
  • Password protecting all devices, including ensuring that all councillor owned devices are password protected, to stop unauthorised access of the device
  • Setting editing and printing restrictions on a document containing personal data
  • Password protecting or encrypting documents sent by email
  • Only uploading documents containing personal data to a secure file share app eg Dropbox or similar or onto the councillor login section of the council’s website and sending out an email notification of the upload to councillors

The ICO Local Council ToolKit can be viewed on their website. Councils should seek specialist legal advice as to the use of their data being access by councillors if they are unsure of the safety of the data.

Elisabeth Page is a solicitor in the public sector team at Geldards LLP

SIGN UP
For your free daily news bulletin
Highways jobs

Interim Head of Fostering

Tile Hill
Negotiable day rate
We are working with a local authority client in London who is looking for an Interim Head of Fostering, the local authority was last inspected as “... London (Central), London (Greater)
Recuriter: Tile Hill

Interim Head of Children in Care and Care Leavers

Tile Hill
Negotiable day rate
We are working with a local authority client in London who is looking for an Interim Head of Children in Care and Care Leavers, the local authority... London (Central), London (Greater)
Recuriter: Tile Hill

Head of Regeneration and Economy

City of York Council
£59,593 - £68,094
York is a wonderful place to live and work and it is quite rightly famous across the globe. York, North Yorkshire / Hybrid
Recuriter: City of York Council

Clinical Lead, North Essex

Essex County Council
Negotiable
Clinical Lead, North EssexPermanent, Full TimeUp to £57,869 per annumLocation
Recuriter: Essex County Council

Assistant Director Legal,&Governance/Monitoring Officer

Rochdale BC
£70,340 - £81,589
The Assistant Director role has breadth of responsibility beyond legal services incorporating Constitutional and Democratic Services Rochdale, Greater Manchester
Recuriter: Rochdale BC

Partner Content

Circular highways is a necessity not an aspiration – and it’s within our grasp

Shell is helping power the journey towards a circular paving industry with Shell Bitumen LT R, a new product for roads that uses plastics destined for landfill as part of the additives to make the bitumen.

Support from Effective Energy Group for Local Authorities to Deliver £430m Sustainable Warmth Funded Energy Efficiency Projects

Effective Energy Group is now offering its support to the 40 Local Authorities who have received a share of the £430m to deliver their projects on the ground by surveying properties and installing measures.

Pay.UK – the next step in Bacs’ evolution

Dougie Belmore explains how one of the main interfaces between you and Bacs is about to change.