This article has been revised in August 2019 to reflect the clarifications made by the ICO regarding Parish Councils.
When this article was originally published in early 2018, the information provided by the ICO was vague and and left many organisations and businesses unsure of how to achieve compliance. It has since been updated to reflect the current position for Parish Councils and GDPR in August 2019.
We’ve seen many good publications that are specific to Parish Councils and GDPR compliance. NALC have issued a GDPR toolkit for their members that should enable most Parish Councils to work through their responsibilities including the appointment of a Data Protection Officer which in itself is causing some distress. See this article published recently about NALC Chairman Sue Baxter who has written to the Secretary Of State for clarification.
What is GDPR In A Nutshell?
GDPR (General Data Protection Regulations) is a whole system of regulations, systems, rights and principles that aims to protect the personal data of every EU citizen. It comes into effect on the 25th May. The GDPR legislation documents are huge and set out to give a person more rights over the data that an organisation holds on them, but in a nutshell, the main points are as follows:
- A person can request to see all the details that you hold on them both in human and machine readable format.
- A person can request that you delete all the personal data that is held by an organisation
- You need to state a valid reason for gathering and processing their data
- You need to ask for consent when you gather data
- You need to provide people with a way of withdrawing that consent at any time.
- You need to take precautions to protect personal data that you have gathered
GDPR Compliance For Websites
As we specialise in providing transparency compliant websites for parish councils, this article sets out to explain how to ensure that your online presence can comply with the new GDPR regulations.
The GDPR regulations state that consent for cookies must be given and not assumed. Furthermore, any cookie that tracks the user must be deactivated until consent is given. Cookies such as those from Google Analytics are capable of tracking and so must be deactivated until consent is obtained.
Consent must be granular and if consent is not given then the user should be expected to have the same experience as someone who has given consent. Also, consent must be able to be withdrawn at any time.
You can read more about this here.
The ICO website gives some guidance on creating your privacy notice. Some of the briefs tips that the ICO give include.
- use clear, straightforward language;
- adopt a simple style that your audience will find easy to understand;
- not assume that everybody has the same level of understanding as you;
- avoid confusing terminology or legalistic language;
- draw on research about features of effective privacy notices when developing your own;
- align to your house style. Using expertise, for example in-house copywriters can help it fit with the style and approach your customers expect;
- align with your organisation’s values and principles. Doing so means that people will be more inclined to read privacy notices, understand them and trust your handling of their information;
- be truthful. Don’t offer people choices that are counter-intuitive or misleading;
- follow any specific sectoral rules as well as complying with data protection law, for example in advertising or financial services sectors; and
- ensure your privacy notices are consistent across multiple platforms and enable rapid updates to them all when needed.
Example GDPR Privacy Notice
The Anytown Parish Council will be referred to as the ‘Controller’ of the personal data you provide to us. We will only collect basic data which does not include any special types of information or location based information. This can however include name, address, email, phone number.
Why we collect your data
We need to know basic data in order to provide a service. We will not collect any personal data from you we do not need in order to provide and oversee this service to you.
What we may do with your data
All the personal data we process is processed by our officers for the purpose of Parish Council business. This information is located on servers within the European Union. No 3rd parties have access to your personal data unless the law allows them to do so.
We have a Data Protection regime in place to oversee the effective and secure processing of your personal data. More information on this framework can be found on our website.
How long we keep your data
We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed. Your information we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive this information.
What we would also like to do with your data
If you have contacted us via email or contact form then we will use the data you have provided to process your request. If you have subscribed to website updates or newsletters then you will receive those until you unsubscribe.
What are your rights
If you believe the information we may have is inaccurate then you can request to see this information and ask to have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact us and request that we investigate. DPOemail@anytownparishcouncil If you are not satisfied with our response or believe we are processing your data improperly then you can complain to the Information Commissioner’s Office https://ico.org.uk/
Having an SSL certificate ensures that the data passed between the users computer and your website is secure. This is necessary even if you just have a contact form or if visitors are able to subscribe to your updates. The major browsers such as Google Chrome and Safari are already rolling out warnings to visitors who are visiting non https websites so it makes sense to go down the SSL route anyway. Our premium and standard packages come with an SSL certificate included.
Does a Parish Council require a DPO?
A DPO or Data Protection Officer must be nominated by any public authority or body who is processing data. Therefore it is was the general understanding that Parish Councils would fall under this ruling.
Since GDPR came into effect however the ICO have clarified the situation and states:
Section 7 of the DPA 2018 defines what is a public authority’ for the purposes of the GDPR.
It says that the following (and only the following) are ‘public authorities’:
a public authority as defined by the Freedom of Information Act 2000,
a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002, and
an authority or body specified or described by the Secretary of State in regulations;
and they are only public authorities for GDPR purposes when they are performing a task carried out in the public interest or in the exercise of official authority vested in them.
However, section 7(3) of the DPA 2018 says that the following are not public authorities for the purposes of the GDPR:
a parish council in England;
a community council in Wales;
a community council in Scotland;
a parish meeting constituted under section 13 of the Local Government Act 1972;
a community meeting constituted under section 27 of that Act;
charter trustees constituted—
under section 246 of that Act,
under Part 1 of the Local Government and Public Involvement in Health Act 2007, or
by the Charter Trustees Regulations 1996.
While you are not a public authority for GDPR purposes, this does not affect your status as a public authority under any other legislation.
In summary, if you aren’t a public authority for the purposes of GDPR then you don’t need to appoint a DPO. You can read the full article on the ICO website by clicking here.
A Simple Compliance Solution For GDPR For Parish Councils
We realise that the regulations are difficult to navigate and that an organisations website is often the main point of data collection, with that in mind, our Premium package now includes GDPR compliance.
This package includes:
- SSL certificate installed and configured. This ensures that any data passed between the user and the website is encrypted.
- Additional functionality to allow data subjects (users) to automatically download and delete any personal data (email subscribers, newsletter subscribers etc.)
- GDPR compliant cookie consent function to allow the visitor to grant and withdraw access in compliance with GDPR regulations.
Our basic package comes without a SSL certificate, more importantly it also doesn’t come with a contact form facility as this would require an SSL. Technically, if you aren’t offering a means of contact then you don’t need a SSL.
One thing to consider however is that from July 2018, Google now display a not secure message to visitors when they visit a website that doesn’t have SSL. Other browsers are also implementing this same feature. Seeing this type of warning can be alarming for visitors especially on a local authority website. It’s for this reason alone that we strongly recommend the Standard or Premium package.
You can view our Parish Council website packages here. If you have any questions then please don’t hesitate to get in touch.