News and Press

Councils not GDPR compliant

A new study by Clean Contacts, reveals that only 12 per cent of UK councils are compliant with GDPR when it comes to Article 5 Principles Relating to Processing of Personal Data.

We sent out a Freedom of Information request to all UK councils in August asking how councils kept their personal data up to date and accurate, particularly pertaining to home movers and people that have passed away.

Twelve per cent of councils admitted that they do not keep their data up to date and do not have any processes in place to clean or delete data.

Twenty per cent of councils provided a vague affirmative that they had a process to keep records clean but did not specify what these were or how regularly the data was updated.

One council located in the South West of England responded “we do clean our data if we are aware of individuals who have either passed away or have moved house.”

Thirteen percent of councils refused the request on the basis that it would be too costly and time consuming to respond.

One council in Wales said “I can confirm we do hold the data you are requesting. However, this information is exempt from disclosure under Section 21 of the Freedom of Information Act (FoIA), as it is already reasonably accessible to you”, citing their online retention schedule. The link however, was inactive.

Fifteen per cent of councils requested clarification as to what was meant by ‘data accuracy’ or ‘consumer data’ despite the question using the explicit wording given in GDPR Article 5.

Over a quarter of councils (28 per cent) admitted that they only updated their data when informed by a constituent that they had moved house or that a family member had passed away.

A council in the East of England responded: We rely on information updates from residents in order to keep our data up to date. Whenever we receive information we update databases to that effect. This an ongoing process rather than a regular scheduled update.

Other interesting responses included one council which believed that it “does not hold any data” and another that has “ongoing procedures in place to ensure that the information it holds is accurate and were (stet) necessary up to date, in accordance with the Data Protection Act.” Unfortunately, the DPA was superseded by GDPR in 2018. 

Comments Ben Warren, Clean Contacts:

“Data hygiene is a clear part of GDPR and by failing to have specific and regular processes in place to keep data accurate and up-to-date, many councils in the UK are not compliant with the current data protection law. The fact that only 12 per cent believe that they are compliant shows that more education and work is needed by the public sector. The irony is that is has never been easier, or cheaper to keep data clean!”

 


Back