Local authorities and the General Data Protection Regulation (GDPR): 8 Practical Steps for Compliance

Background

There has been much media coverage about the new data protection laws (GDPR), which come into force on 25 May 2018, and the new Data Protection Bill currently going through parliament which is also expected to become law next year.  Media commentary has focussed on the potential for eye-watering fines that may be levied for non-compliance – though in reality these are likely to be reserved for the most serious of breaches.

Given the wide range of data that is collected and processed by local authorities data protection compliance is important.  Employees and service users will expect that their public services have policies and procedures in place to ensure that their personal information will be processed fairly, securely and lawfully.

With budgets already squeezed, local authorities may see GDPR as yet another regulatory compliance burden.  A recent survey by Blake Morgan revealed that 40% of respondents across both public and private sectors admitted to not having taken any steps towards compliance, and the ICO's own survey of local authorities earlier this year revealed that most still had a long way to go to achieve compliance.

As employees are increasingly able to benefit from agile and remote working practices and more public engagement is carried out online through websites, apps and email communications, GDPR compliance is also an opportunity to review resilience to cyber security threats.

The management time involved in dealing with a security breach e.g. service user data is stolen or corrupted or your IT systems are literally 'held to ransom' is likely to far outweigh any possible sanctions the ICO (The Information Commissioner's Office - the UK regulator in this area) might levy on you.

GDPR is introducing more rigorous obligations on local authorities and other public sector bodies to be more transparent with individuals about how and why data is collected and used, and at the same time restricting the availability of the easy option of "legitimate interests" as a ground for processing of personal data.

However, with the right approach, the burden of compliance is relatively light as GDPR is building on existing law.  This short guide sets out 8 practical steps you can take to enable you to move towards GDPR compliance

1. Audit the personal data you hold

The GDPR only applies to personal data – information about living individuals – as simple as a name, an e-mail address, a phone number, an address and so on or as complex as HR records.  This assessment/audit will form the background for the other practical steps below as well as helping you comply with the GDPR requirement of "accountability".                                           

  • Assess what personal data you hold and process within each service area, and document what it is, where it came from, what you do with it and who you share it with. 

Local authorities are complex organisations.  You receive data from a number of sources and share it with many different agencies.  Breaking the audit down into individual service functions will make the task more manageable. If you do not know what information you have and how it is used, how can you begin to meet your GDPR obligations?

2. Appoint a Data Protection Officer and carry out Privacy Impact Assessments

The GDPR requires local authorities (who handle substantial and sensitive personal information) to appoint a responsible officer to act as an independent overseer of compliance processes.  If you have not already appointed a DPO, this individual will need to have appropriate knowledge of your organisation, its procedures as well as data protection laws. A Privacy Impact Assessment will identify the threats to personal data from within and outside the local authority. Data sharing also needs to be looked at in relation to any use of any Arms-Length Management  (ALMOs) as well as relationships with other third parties – who may be a processor on behalf of the local authority, or another controller in their own right depending on the specific circumstances.

  • All significant business and operational changes involving data will need a Privacy Impact Assessment to identify threats and risks, and measures to be taken to mitigate those risks
  • Privacy Impact Assessment should be in place for all significant transfers of personal data to third parties
  • Review existing Data Sharing Arrangements with third parties to ensure that they remain appropriate and will enable all parties to meet their GDPR obligations from May 2018.

Both the DPO and carrying out Privacy Impact Assessments will assist your organisation to comply with the GDPR requirement of "accountability".

3. Tell people how you process their data

Key to the GDPR is the concept of "transparency" – that "data subjects" (the people whose personal data you hold) know what personal data you collect on them and how it will be used, and how it will be shared.  GDPR will require you to update your privacy policies/notices:

  • Review and update your privacy policies/notices and provide additional information to data subjects including how long you retain the data, that a data subject has a right of complaint to ICO, and what the lawful basis for processing the personal data is.
  • Review how and when you communicate with individuals where data is obtained from third parties.
  • Review the language and tone of notices to ensure that all service users can easily read and understand them.

For local authorities the lawful basis for processing personal data is changing.

Local authorities will no longer be able to rely on "legitimate interests" as a condition for processing. This will require you to be more considered and specific about the use of data to identify the correct lawful conditions to meet the "fairness" and "transparency" requirements.

In addition, there are new requirements that will need to be met in order to rely on consent from an individual. Under the GDPR consent must be freely given, specific, informed and unambiguous – you can't infer consent from silence or pre-ticked boxes.  Also if you decide to rely on consent the data subject can revoke their consent at any time.

Local authorities deal with vulnerable individuals in difficult situations – the new privacy notices need to be accessible to all services users, from children and young people, to vulnerable adults and the elderly as well as those who care for them.

4. Be alert to the rights of data subjects

The GDPR gives data subjects, the people whose personal data you hold and process, a number of important rights.  These are similar to the rights that already exist but have been enhanced.  Some of these rights e.g. the right to be forgotten (to have personal data erased) and the right to data portability (to have your personal data given to you or to others at your request in a machine readable format) have received much media coverage.

The fact that the timetable to respond to a request for subject access has been reduced to a calendar month, and you cannot charge has been less widely publicised.

  • Ensure you are able to respond to requests by data subjects to have their data corrected, erased, to stop the processing of their data (e.g. for direct marketing) and to have access to their data (data subject access requests (SARs)).

5. Take IT security seriously

It is not a new requirement to ensure that the personal data you hold and process is appropriately protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, "using appropriate technical or organisational measures".  The Privacy Impact Assessment will enable you to identify the potential risk of harm if data is compromised, and inform the adequacy of protection.

What is new is that personal data breaches in relation to personal data must in the majority of cases be notified both to ICO and to the data subject, where there is a serious risk of harm.  A personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". Given the often sensitive nature of personal data processed by and on behalf of the local authority, this a very broad definition which could encompass e.g. hacking, losing a memory stick or a laptop containing personal data, or suffering a malware or ransomware cyberattack where personal data is corrupted or encrypted.

  • Use the GDPR as an opportunity to review your IT security and policies.  Be aware that in most cases you will have to notify any personal data breaches to ICO within 72 hours after becoming aware of them, and if the breach is high risk then you must tell the data subjects affected as well

6. Review your IT and data processing contracts

You cannot contract out of the GDPR by using someone else to process personal data on your behalf.  You as "data controller" remain primarily liable for GDPR compliance although the "data processor" you appoint will also be liable as well.  Where you appoint a data processor you must do so under a contract containing certain required safeguards e.g. as to security and how the data will be processed.  Also if you are "exporting" personal data outside the EU e.g. to a processor in the USA say, then this will not be lawful unless certain additional safeguards are in place as well.

  • Review how and where you use data processors. Are the contracts you have in place up to date?
  • Also, check if any personal data is exported outside the EU – if it is on what legal basis is this permitted?

7. Empower employees to take personal responsibility for GDPR compliance

You are more likely to comply with the GDPR if all those in your business are aware of the basic rules around the collection and processing of personal data.  A significant proportion of complaints to, and enforcement actions taken by the ICO against local authorities, fall down to a lack of training and awareness, or individual lapse in concentration. Better knowledge and understanding amongst all frontline and back-office staff will make them more alert to spot issues before a breach occurs.

  • Raise awareness of data protection in your business and ensure staff are fully aware of their own responsibilities.

8. Review your employment practices, procedures and contracts

Local authorities are significant employers processing a wide range of HR data.  GDPR compliance applies to both service user and employment data.  This means that the above steps will also apply to this information.  Note that employers cannot, in general, rely on the employee's consent alone as a legal basis for processing employee data – other grounds need to be found.  The GDPR will impact on employment practices and procedures as well as HR contracts and policies.

  • Do not forget that the GDPR also applies to HR data.  The law will need to be complied with when recruiting, managing, training and paying staff.  HR documentation including employment contracts will need to be updated to reflect the GDPR.

Further information

Please contact the author, Elisabeth Bell, Legal Director, Blake Morgan for further information on how to comply with the GDPR:

Tel: 0118 955 3045 Email: elisabeth.bell@blakemorgan.co.uk