|
 
| |
The DPA makes it quite clear that if you are processing data electronically
then you are a data controller and data controllers must register. It is an
offence to process data without being a controller. If a Councillor is in any
doubt about the value of registering, then consider one of the important points
of the DPA; an individual has a right to know what data is being used, and how.
If a resident considers that a decision has been made on incorrect data, then
they can go to the Council, review the data and if it is wrong, get it
corrected. This is fine if the Council holds all the data, but what if the
Councillors have different or additional data? A councillor could claim that
they would never withhold or amend data, but the important thing is that this is
seen to be the case. The whole purpose of registering is to make clear to
everyone what data you hold, how it is to be processed and when.
The key thing to consider is ‘in what capacity is the councillor processing the
data. If it is for constituency matters, they must take advice from their
political office, but I would say that although the list is unlikely to be more
than names and addresses (and marketing lists are exempt from registration), the
list will say something about political affiliation, and as such should be
treated as sensitive.
When a councillor is acting on information supplied by the council for normal
council business, they are recipients of the data and need not register. They
will be required to abide by any security protocols that the council has in
force, and they are not allowed to use the information for any purpose for which
it was not intended. In short, they can be treated as employees.
This only becomes an issue when the councillors’ process data for their own
purposes, this is most likely to be case work for constituents, but could
equally be part of the many residents’ groups and pressure groups that exist.
Here we must look at what is meant by ‘data’; the Act says that it is recorded
data that will be processed automatically; case notes for residents will not
fit-into this category. A councillor does not need to register separately for
this, although it does raise an interesting question; what happens to the case
notes when a councillor retires or is voted-out? Does the Council require them
to hand-over the notes, or confirm that they are destroyed? Once again, things
are made easier if the councillors are treated as employees and required to
sign-up to the data protection protocols of the council.
Finally, if you are registered as a data controller, you only have one
registration but it will have as many sections as you have purposes. The
purposes are all pretty-well understood by now and you can pick them from a
list. So if you have a database for political canvassing, that would be one
purpose and community case work would be another. Each one would have to specify
where the data comes from and to whom it may be disclosed as well as a few other
processy things.
So, to summarise -
• If councillors are processing data for canvassing purposes, it is their
responsibility to notify.
• If they are using data supplied by the council, they are considered to be
employees of the council and therefore bound by the council’s data protection
protocols
• Similarly for casework and case notes, they are acting as an employee of the
council and similarly bound.
|
