Tuesday 23rd April 2024,
North Yorks Enquirer


November 6, 2017 Misc


Yesterday, Sunday 5th November 2017, the North Yorks Enquirer published an article of mine addressing the fact that s.17 of the Data Protection Act 1998 requires (inter alia) Councillors at all levels of Local Government (and MPs) to ‘notify’ the Information Commissioner’s Office of their need to be registered as Registered Data Controllers, and to pay a £35.00 registration fee. Most have not done so.

In response to a Freedom of Information request to establish how many, I received the following response:

Our Response

Whilst the ICO conducts sample checks of councillors registered as data controllers and records the results of these checks, we do not hold a definitive list of all councils and associated councillors that are registered. Nor do we hold a list of parish councils linked to local councils.

We do not, therefore, hold the information that you have requested.

However, the Register of Data Controllers is published on our website, here: [1] https://ico.org.uk/esdwebpages/search. You could obtain a list of the councillors for the councils in which you are interested from the councils’ websites and conduct searches of the Register to obtain the information that you seek.

This concludes our response to your request.

I am aware, and the ICO is aware, that many Councillors, especially at the two lower tiers of local government, have not ‘notified’ (and not paid the £35.00 registration fee).

They are breaking the law.

Nevertheless, some corrections and apologies are in order.

For the purposes of making my point in the article, I followed the ICO’s advice and accessed the ICO search facility (linked in the FOIA response) and took, for my examples, the three best-known Councillors in our area (the ‘household names’, as it were): the Leaders of SBC, NYCC and ERYC – respectively, Councillors Derek J BASTIMAN [Con.], Carl LES [Con.] and Stephen PARNABY OBE [Con.] (pictured below, left-to-right in that order), using the addresses officially attributed to them on their respective Councils’ web-sites.

The searches returned negative (see below). On this basis, I incorrectly stated that the three Leaders had not ‘notified’ and were therefore acting outside of the law.

My information was that Councillors were intended to ‘notify’ under their home addresses, since it is at home – in the process of pursuing so-called ‘casework’ – that they are most likely to store personal data belonging to members of the public who have sought their assistance.

My interpretation, then, was that the three Leaders had failed to ‘notify’. This turns out to have been incorrect.

Following a well-meant series of emails from a gentleman whose position it is to overview the processing of ‘notifications’, I have since learned that the matter of the “address” for ‘notification’ is defined as “principle place of business in the United Kingdom”.

With regard to Councillors interacting directly with members of the public (casework) on a daily basis, it is obviously the case that there is a high likelihood that they will work ‘from home’, rather than from their respective County/Town Halls; a considerable amount of citizens’ personal data may well be stored on Councillors’ own private devices, in their homes and on their persons.

Arguably, that would suggest that, for the purposes of data processing, a Councillor’s home address may be considered to be her/his “principle place of business in the United Kingdom” – at least as far as her/his casework as a ward Councillor is concerned. In my view, if such is the case, this would seem to be the proper address for ‘notification’ – it is the location at which personal data is stored and therefore most at risk (fire, theft, loss, damage, carelessness, inadvertent forwarding, etc).

However, I do now recognise that, in the case of the three Leaders, who conduct the vast majority of their data processing in their offices in their respective County/Town Halls, it is by no means inappropriate that they should ‘notify’ under their respective Councils’ addresses – i.e. their “principle places of business in the United Kingdom” – which, quite  properly, all three have done.

Contrary to my assertion, all three have notified. I remain puzzled, though, as to why SBC Leader Councillor BASTIMAN has registered County Hall, Northallerton, rather than at Scarborough Town Hall, as his “principle place of business in the United Kingdom”, and as to why NYCC Leader County Councillor LES has registered at Hambleton Town Hall, rather than County Hall, Northallerton, as his “principle place of business in the United Kingdom”.

It is the case, nevertheless, that I have inadvertently impugned Councillors Derek J BASTIMAN, Carl LES and Stephen PARNABY OBE. I am very sorry to have done so. I take care to establish my facts before publication and on this occasion and I have fallen down the crack between competing interpretations.

Naturally, I have written to the Leaders offering my unconditional apologies. The article has been removed from the web-site.

Councillors LES, BASTIMAN and PARNABY, I am sincerely sorry.

I would like to emphasize, though, that the main thrust of my article remains totally valid – too many Councillors and MPs are treating citizens’ personal data with insufficient regard to their privacy rights under the DPA, and too many are at this moment breaking the law by failing to have ‘notified’ the ICO (and pay their £35.00 registration fees).

Had I picked, rather than the three Leaders, a Councillor at random from each of the three Councils, there is a very high probability that I would have settled upon three Councillors who have not ‘notified’ (and, indeed, know nothing of the legal requirement to ‘notify’) – that would have made my point and it would have spared me, and the three Leaders, unwelcome discomfort.

However, data processing ‘notification’ is a topic to which I hope to return, if and when I can obtain absolute clarification about who exactly must ‘notify’, at what address, and also how any contention over “principle place of business in the United Kingdom” may ultimately be resolved.

I am also interested to know who, ultimately, will be paying for over £1M worth of registration fees – I suspect the taxpayers.

In the meantime, I would urge – and I am hopeful that the three Leaders will join me in this – I would urge all Councillors, at all three levels of local government (and MPs), to ‘notify’ immediately if they have not already done so.

This can be achieved quickly and conveniently on the ICO web-site: https://ico.org.uk/for-organisations/register/

Comments are closed.