Red tape

Dark times on the Wirral, as confidential memos about web filtering fly around, suggesting skullduggery on the corridors of Council power. The headlines are remarkable: “Confidential memo tells shocked Wirral councillors their emails are being read by town hall bosses“, which would be quite a thing if it was true. Following the receipt of offensive emails about Hillsborough, the Chief Executive of Wirral Council suggested that the Council could filter the emails out so that councillors would not receive them. The opposition members worked themselves up into a lather, with one, Councillor Chris Blakeley, declaring: “I think it is outrageous that the council should determine which emails we should receive”. Another, Councillor Lesley Rennie opined “My colleagues and I are absolutely appalled that there could have even been a suggestion that emails from the public could be considered for filtering“.

At the risk of starting another barney in the comments, I don’t think the Council was suggesting anything inappropriate. Whatever you think of Wirral Council (feel free not to tell me), I think it’s likely that the Council was simply offering to block offensive emails, rather than making decisions about which emails Councillors receive. The Chief Executive stated that he had received complaints about the emails, so clearly felt that some kind of response was required. As feelings across Merseyside are still understandably raw over Hillsborough, even if the Council response was inelegant, I can see why the offer was made.

However, the Councillors’ reaction and some of the comments on the Wirral Globe’s story (the commenter ‘2040TIM’ sounds like he knows what he’s talking about), raise an interesting question that I suspect many councils and most councillors have not considered. If you are not a Data Protection nerd or a dedicated council watcher, look away now.

Councillors wear up to three hats in the normal course of their activities. As participants in Council Committees and decision-making, they are part of the Council. For Data Protection purposes, they are covered by the Council’s DP notification and any incident or breach involving them would be the Council’s problem. Hat number 2 comes with membership of a political party. They may sometimes receive personal data from their party for campaigning purposes. In this scenario, the party is responsible for Data Protection. The strangest hat is the one they wear as constituency representatives. Here, neither the council nor the party is responsible. The Councillor is a Data Controller in their own right.

Much of the controversy about Councillors and Data Protection revolves around the technical issue of notification (still often called ‘registration’, despite that term belonging to the 1984 Act), and in particular who pays for it. Some councillors notify, some don’t. One Wirral blogger was told by a councillor that notification was ‘a load of tosh‘, which is an odd way for an elected representative to describe a legal requirement. Some councils pay for all of their councillor’s notifications, some don’t. However, despite the fact that numerous councillors across the UK remain without a notification, and despite the fact that the ICO has prosecuted estate agents, bar owners, solicitors and hairdressers for non-notification, no councillor in the UK has ever been prosecuted for non-notification.

The reason for this is probably that by prosecuting an errant elected member, the ICO would be crossing Eric Pickles, the Secretary of State for Communities and Local Government and an opponent of the ‘red tape’ that member notification represents. In 2011, Pickles told Conservative Home that notification for members was a ‘tax on volunteering’. In 2013, he proposed amending the DPA to exempt parish and town councillors from notification altogether (which is a good idea) and allowing councils to make a single payment for all Councillors’ notifications, which is unnecessary given that since the middle of the last decade, the ICO has accepted notification forms for all of a council’s members in one go with a single payment. I know this, because I used to do the notifications for my council’s members.

But this is all a red herring. Notification is an administrative tick-box. Under the 1984 Act, if you processed data electronically, you were covered by the Act and you had to register. If you didn’t process data electronically, you didn’t have to register and you didn’t have to comply. Under the 1998 Act, you have to comply regardless of whether you notify. If you’re exempt from notification, you still have to comply with all other aspects of the 1998 Act. If you refuse to notify, you’re committing an offence, but you still have to comply with all other aspects of the 1998 Act.

Just before Christmas, another Northern Council – Craven Council in the Yorkshire Dales – had a councillor / Data Protection controversy. The Council proposed rolling out iPads to its elected members as part of an upgrade to its IT security. Some councillors objected, and one Independent member was reported as offering “to sign up as his own data handler“, in other words, he was offering to notify as a data controller in order to avoid having the iPad. And so we come to the punchline. The Councillor was already a Data Controller whether he liked it or not. All councillors have to ensure that they are compliant with the DPA for the areas not covered by the Council or their party. Notification – and who pays the £35 – is just about the least significant aspect of this process.

For one thing, Councillors are Data Controllers for any equipment, any email account, any electronic system that they use to communicate with their constituents. The Council is their Data Processor in this context. Buried deep in the back of the Data Protection Act are surprisingly specific requirements for the relationship between a Data Controller and Data Processor – there must be a contract made or evidenced in writing, security guarantees given by the processor (the Council) to the Controller (the Councillor), and a reasonable check that the contract is being complied with. In other words, if the Wirral Councillors up in arms about what may or not be happening to their emails have not obtained a written contract from Wirral, ensuring that Wirral will act only on their instructions when handling their constituency correspondence, the Councillors are in breach of the Data Protection Act. The Council – as a data processor – is not.

It goes further. Councillors should clearly inform their constituents about the way in which their data is used. They should respond to subject access requests. The Wirral Councillors are upset about what they believe is happening to their Wirral.gov.uk email addresses, but many Councillors use Hotmail or Yahoo mail for constituency business, or at the very least have all of their Council emails auto-forwarded to an outside account. This carries both security risks that might breach the 7th DP principle, but also raises the spectre of the 8th Principle, which governs how to transfer information outside the European Economic Area (many web-based email providers use servers outside Europe).

Many senior Council officers and IT and DP specialists will weep at the thought, and I can think of one or two who will give me a smack for bringing it up. But Councils cannot dictate to their Councillors. It is clearly logical for Councillors to use systems and kit provided to them by the Council, but ultimately, they are responsible for a big slice of the data that they use as part of their work and it’s their decision. The Council is a processor, a service provider. Sticking with the robust corporate system is a reasonable idea, but they can work outside of it and if they do, Councillors are wholly responsible for what happens. In the meantime, any Councillor planning to kick up a fuss about emails or iPads or anything else should remember that if something goes wrong, the Council has a get-out-of-jail-free card for non-Council business. Perhaps they should be more shocked about that.

Comments

  1. All good, except the council has and is being notified of ££multi-million fraud regarding central government money, has sat on its hands ever since it was notified by two whistleblowers. The PR says the place has “improved”, so this must sweep all before it.

    The full info’s out there, but would take time to collect. So you weren’t to know.

    The “Load of Tosh” councillor sits on the Audit and Risk management committee.

    Why should WE pay for notification of 66 councillors who it appears stand for election, and as part of that, assume responsibility for the data and information that they create or receive onto their systems?

    • I agree with you about the fee. I do not think it should come out of the Council’s budget. However, as notification is likely to be abolished when Data Protection is reformed in the next few years, I think Councillors and their constituents should concentrate on whether the Councillors properly comply with the Data Protection Act.

  2. I will refer to hat 2 (councillors acting in their party political capacity).

    In May 2011 Councillor Alan Brighouse (who is a Lib Dem councillor on Wirral Council) received a subject access request from me for an email which was sent to his email address and a fellow councillor’s email address on a party political matter. The subject access request was also sent to the Lib Dem’s Chief Executive too. After 40 days when Councillor Alan Brighouse (and the Liberal Democrat Party) did not provide a copy of said email to me, both received a letter giving them 14 days to comply otherwise they would be sued.

    In September 2011 both were sued in the Birkenhead County Court. Around this time the Lib Dem’s Chief Executive handed in his notice and the Lib Dems tried to get both defendants changed to their Chief Executive (instead of Cllr Alan Brighouse on behalf of the Birkenhead Liberal Democrats and Liberal Democrats (the Federal Party) on behalf of the Liberal Democrats). Liberal Democrats (the Federal Party) is the Lib Dem HQ down in London.

    I made an application in October 2011 for the defendants to revert to the original two, which was heard in December 2011. The Judge agreed that the case should proceed with the two defendants.

    In April 2012 over two hours (in a court room) the case was heard before Deputy District Judge Ireland. Councillor Alan Brighouse appeared along with another Liberal Democrat Party member to act as his McKenzie Friend. Before the case was heard, the issue of financial losses of the Claimant arising from not answering the subject access request had been settled between the two parties in a compromise in September 2011.

    Deputy District Judge Ireland awarded the claimant (myself) a court order issued under s.7(9) of the Data Protection Act 1998 as she found that both defendants had failed to respond to the subject access request.

    The most amusing part of that hearing was the politician had given long waffley non answers to Deputy District Judge Ireland’s questions which was clearly annoying her. She retorted with “Just answer the question yes or no!” and I had to restrain myself from smiling at a deputy district judge demanding a politician answer a question.

    After I had the court order the defendant Councillor Alan Brighouse said that the email it pertained to had since been deleted, however he sent me a printout of what he thought was an attachment to it.

    So yes, councillors in their party political capacity are subject to the provisions of the data protection act. Councillor Alan Brighouse is currently a candidate for the Liberal Democrats in Oxton ward.

    The only other thing to arise that was partly related to the above in answer to a standards complaint is that the Lib Dem councillors were reminded that they shouldn’t be using council email addresses for party political matters.

    • Thanks very much for this detailed account. I’m aware of very little action in this context (from the ICO or the courts), so your case is really interesting.

      • At the time it was happening, I know ICO back in 2012 had a guide on its website as to what the next steps were if a subject access request wasn’t complied with. If I remember correctly, the two options at that stage were either ask a court for an order under s.7(9) or complain to ICO.

        ICO’s website is slightly different now. They do still have template letters here, however the letter under the heading “What can I do if the organisation does not respond?” just states that the person will make a ‘request for assessment’ to the Information Commissioner’s Office (ICO).

        I do know that the data protection side at ICO is better funded than the FOI side. So it’s possible ICO’s intervention over a subject access request matter would be quicker than waiting a few months for a court order instead.

      • That might be true in some cases, but it depends on the organisation. The Commissioner is likely to find ‘compliance unlikely’ if an organisation of any kind does not properly respond to a subject access request. However, the ‘compliance unlikely’ letter is sometimes all they will do. So an organisation that will effectively fall in line will do as they are told (and many do). But any organisation that wants to be bullish is not likely to be on the receiving end of enforcement action. It certainly hasn’t happened up to now with subject access (i.e. enforcement action). The courts – difficult though they may be to negotiate – are more likely to come up with a result that can be enforced.

      • Well yes, because not complying with a court order is contempt of court.

        However suing isn’t something that anyone does lightly. A subject access request case would end up on the small claims track and would usually not be listed quickly or mean parties would require legal representation or be entitled to be awarded legal costs (other than the financial loss/compensation element through not replying to the subject access request).

        I’m not aware of any other cases in the courts that involved a councillor and a subject access request. If you are interested in the papers I filed with the court in the case, send me an email to john.brace@gmail.com and I’ll be happy to forward them to you.

        Both defendants filed a further page of A4 each with the court (but not on the claimant) which is a breach of one of the Civil Procedure Rules and was brought up at the hearing.

  3. Jim Whitaker says:

    I’m not sure that something being a legal requirement stops it being “a load of tosh”.

%d bloggers like this: