Data Protection Act
General advice for the elected members of The Moray Council
The Data Protection Act 1998 came into force on 1 March 2000. It regulates the holding and processing of personal data, that is information relating to living individuals, which is held either on computer or in some cases in manual form. The Act gives enforceable rights to individuals (data subjects) and places obligations on those legal persons who control the manner and the purpose of the processing of personal data (data controllers). Data controllers must notify the Data Protection Commissioner of the details of their processing. These details are published by the Commissioner in the register of notifications. Data controllers must also comply with eight data protection principles, which together form an enforceable framework for the proper handling of personal data.
In considering whether they need to notify, elected members must decide in which capacity they process personal data.
- As members of the Council they may have access to and process personal data in the same way as employees. The data controller is the Council rather than the elected member. An example is of a member of a housing committee who has access to tenancy files for the purpose of considering whether or not the Council should proceed with an eviction. In this case the elected member is not required to notify.
- When councillors act on their own behalf, they are likely to have to notify in their own right. Examples include, the processing of personal data in order to timetable surgery appointments or progress complaints made by local residents. When campaigning within their own political parties for adoption as a prospective candidate for a particular ward they also act as individuals and can only rely upon the notification of their parties if as a matter of fact the parties control the manner and the purpose of the processing of personal data for the purpose of their individual campaigns.
- When acting on behalf of a political party, however, for instance as an office holder or as an official candidate, members are entitled to rely upon the data protection notification made by the party.
There is an important exemption from notification where the only personal data, which are processed, take the form of non-automated or manual records. However, even if this is the case and there is no notification requirement, elected members must comply with the other requirements of the Data Protection Act, in particular meting the standards set out in the 8 data protection principles.
A standard form of notification for elected members has been prepared in order to simplify the procedure. Any elected members who believe that they need to notify should contact the Commissioner’s Notification Dept (telephone 01625 545740).
Use of personal data
When considering whether it is permissible to make use of personal data for any particular purpose, elected members must first consider the context in which that information was collected, and in particular, who is the data controller for the data.
- Information, which is held by the local authority, may not be used for political or representational purposes unless the individuals to whom the data relate (the "data subjects") have agreed. Thus it would not be permissible to use a list of the users of a particular Council service (e.g. members of libraries) for electioneering purposes (e.g. a campaign against the closure of public libraries) without the consent of those individuals. Similarly it would not be permissible to use personal data to which the elected member had access in an official capacity, say a member of the Housing Committee, in order to progress complaint on behalf of a local resident unless all the individuals concerned has consented.
- When campaigning for election as the representative of a political party, candidates may make use of personal data held by their parties such as mailing lists and of personal data, which they hold as elected members. For instance, it would be permissible to seek support from local residents whom the candidate has assisted in the past as a Councillor. It would not, however, be permissible to disclose the details of those local residents to the party without consent.
- When campaigning for election to an office within a party, it is only permissible to make use of data controlled by the party if authorised to do so by the party and its rules. It would be wrong, for instance, to make use of information, which the candidate might have, in his or her capacity, say as the local membership secretary unless the party itself had sanctioned this.
The Data Protection Act contains a number of criminal offences. In particular:
- Processing personal data unless a notification has been made to the Commissioner. A councillor who made use of a computerised list of library members or tenants for electioneering purposes would commit an offence if he or she had not notified.
- Making disclosures of personal data, which have not been authorised by the data controller. An elected member who disclosed personal data to his or her party for electioneering purposes would potentially commit this offence.
- Procuring unauthorised disclosures of personal data. An elected member who obtained a copy of personal data ostensibly for council purposes but in reality for his or her personal use or the use of his or her party would commit an offence.
Further general advice on the Data Protection Act is available from the Commissioner’s office or via the Information Line(01625 54574).