The Information Commissioner (ICO) has published the results of an Information Governance survey carried out last year in relation to local government. The survey highlights some key areas that local authorities will need to address in order to prepare for the General Data Protection Regulation (GDPR).

What are the key findings?

The survey identified a number of issues:

  • A quarter of local authorities do not have a data protection officer (DPO). The GDPR requires public authorities to appoint a DPO.
  • More than 15% of local authorities do not conduct data protection training for their employees
  • A third of local authorities fail to use privacy impact assessments (PIAs). Conducting a PIA will be mandatory for certain types of processing
  • 37% of local authorities do not have a data sharing policy

Employee training on data protection

The findings in relation to staff training are particularly surprising given that the failure to carry out data protection training is a factor that the ICO will take into account when deciding whether or not to issue a Monetary Penalty Notice following a failure to comply with the Data Protection Act.

Concerningly, less than half of the local authorities that responded said that completing data protection training was a pre-condition of systems access.

Going forward, employee training will become even more important as organisations will be required to demonstrate that they are complying with the GDPR. That means being able to show that staff understand the organisation's data protection policies and the requirements of the GDPR.

Privacy impact assessments

PIAs help organisations identify the privacy risks of a proposed project or new processing and the steps that can be taken to mitigate those risks. PIAs are currently form part of the ICO's best practice guidance, but will become mandatory for certain types of processing.

A PIA can help an organisation demonstrate its compliance with the GDPR and ensuring that new projects adopt Privacy By Design and data minimisation. In the absence of a PIA, an organisation may not be able to show that privacy issues were properly considered at the outset and that due thought was given in relation to things such as the basis upon which processing is carried out or the security measures that are adopted.

Data sharing with other organisations can often raise data protection issues. A data sharing policy and a PIA can be particularly helpful in identifying whether a proposed data sharing arrangement is lawful and the controls that should be put in place to regulate the data sharing.

How should local authorities prepare for the GDPR?

The first step is to carry out an information audit or prepare an information asset register to identify what information is processed by the authority.

The ICO's survey identified that just 17% of local authorities have prepared an information asset register. Only once an organisation has identified what information it processes (and why) can it then work out what steps it needs to take to comply.

The GDPR raises a number of specific challenges for public authorities.

The GDPR tightens up the legal basis upon which public authorities can process personal data, by limiting the ability of those organisations to rely upon consent as a basis for processing or the legitimate interests condition. Local authorities that currently rely upon the legitimate interests condition to process any personal data will therefore need to identify another lawful basis for processing - for example, a statutory basis. That will require local authorities to look at their statutory functions and identify any areas where existing processing activities do not fall within those functions.

It is not yet clear how these restrictions will apply to, say, commercial activities undertaken by public authorities or services provided through arms' length subsidiaries or their behalf on an outsourced basis.

The GDPR comes into force on 25 May 2018. To find out more about the GDPR and how we can assist, download our two page summary to the GDPR.


Martin Sloan