Meeting documents
|
||||||||||||||||||||||||||
|
|
|
Summary of considerations |
|
Data Controllers must notify the Information Commissioner of the details of their processing of personal data. |
|
Elected Members are Data Controllers in their own right if they process personal data for their own ends, such as in order to timetable surgery appointments or progress complaints by local residents. As such they are likely to have to notify the Information Commissioner. |
|
When processing the Council’s personal data, Members are generally covered by the Council’s own notification and will not need to notify themselves. An example is a Housing Cabinet portfolio Member who has access to tenancy files for the purpose of considering whether the Council should proceed with an eviction. |
|
Members may be able to rely on the notification of their political party when processing personal data on behalf of the party, such as an office holder or official candidate. |
|
Data Controllers must comply with the 8 principles of the Data Protection Act 1998. |
|
Elected Members should comply with the 8 principles of the Act when processing personal data on their own account. In addition, however, Members have an obligation to honour the data protection principles when processing the personal data of another Data Controller, such as the Council or their own political party. To fail to do so could leave that Data Controller in breach of the Act. |
|
|
|
ELECTED MEMBERS - COMPLIANCE WITH THE DATA PROTECTION ACT 1998 |
|
Under the Data Protection Act 1998 those who control the manner and purpose of processing personal data may be deemed to be Data Controllers and have to notify the Information Commissioner of the details of their processing. Data Controllers must also comply with the 8 data protection principles that together form an enforceable framework for the proper handling of personal data. |
|
The Data Protection principles |
|
|
|
|
|
|
|
|
|
Where an elected member has access to and processes personal data as a member of the Council, the member is covered by the Council’s own data protection notification, like employees. An example is a member of the Cabinet who has access to a tenancy file for the purpose of considering whether or not the Council should proceed with an eviction. In this case the member is not required to notify the Information Commissioner about such processing. |
|
When disclosing personal data to members for the purposes of Council business, members should only be given access to as much information as is necessary to carry out their duties. In making a disclosure of personal data to the elected member the Council should specify the purpose for which that information may be used or disclosed. Where the member is able to take a copy of the information away from the Council premises, the Council should specify steps to be taken to ensure the security of the information. For instance, there may be rules regulating the security of personal data processed on laptop computers. |
|
The above scenario should be contrasted with the situation where an elected member acts in his/her own right, in which case it may be necessary to notify the Information Commissioner of the details of their processing. This would include, for example, the processing of personal data in order to timetable surgery appointments or progress complaints made by local residents. Also, when campaigning for adoption as a prospective candidate, for a particular ward, elected members will only be able to rely on the notification of their party if as a matter of fact the parties control the manner and purpose of the processing of personal data for the purpose of their individual campaign. |
|
When acting on behalf of a political party, for instance as an office holder or as an official candidate, members are entitled to rely upon the data protection notification made by the party. |
|
Even where they process personal data for their own ends, there is at present an exemption for ‘elected members’ from notifying where the only personal data that are processed take the form of non-automated or manual records. If this exemption applies, members must still comply with the 8 data protection principles. |
|
Notification can be carried out on-line at www.dpr.gov.uk where a standard template for members is available. If a member believes he/she may need to notify, she/he should contact the Commissioner’s Notification Department on 01625 – 545740. |
|
Use of personal data |
|
One contentious area involving the use of personal data by members is where they seek to use lists of the users of a particular Council service for electioneering purposes without the consent of those individuals. This is a breach of the Data Protection Act 1998. Similarly, it would not be permissible to use personal data to which the elected member had access in an official capacity, say as a member of the Cabinet, in order to progress a complaint on behalf of a local resident unless all the individuals concerned had consented. |
|
The above should be contrasted with the situation where the Council discloses personal data to a member about a data subject, without the specific consent of the data subject, if the member represents the ward in which the data subject lives (in which case there may be a reasonable presumption that the member is acting on behalf of the data subject). In other cases, or where the data in question are of a particularly sensitive kind, it may be prudent to seek the signed consent of the data subject. In providing information to members the Council should make clear that it is provided for the limited purpose of assisting the data subject and may not be used for any other purpose. |
|
Offences |
|
|
|
|
|
More complete advice is available from the Improvement and Development Agency (IdeA). |