We have been approached by a number of Councils regarding NALC L10-17 Data Protection Officer advice

As a result I have been in touch  with the Information Commissioners Office (ICO who oversee Data Protection and Freedom of Information including the GDPR and new legislation in the UK).

The ICO were not aware of NALC L10-17 

I will take each of the points put forward by NALC regarding the reasons why a Clerk cannot be a Data Protection Officer and addressed them in accordance with the ICO advice.

  1. An absence of conflicts of interest (which may arise from responsibilities as Clerk/RFO and may include processing activities)

The ICO said that as long as the DPO could show clear decision making it could demonstrate independence from the other role.

LCPAS will produce a proforma which will show a clear timeline of compliance and decision making regarding each request and its outcome. The Council would keep this as evidence.

  1. Independence

The ICO said that it was for each individual Council to be satisfied that the DPO role could be undertaken by one of its officers (in line with the statement above)

  1. Expert knowledge of data protection law and practices and related professional ethics to effectively advise and influence full council

The Clerk as the DPO would advise the Council on Data Protection law and procedure. Expert advice and knowledge can be sought from  ICO, LCPAS, NALC, CALCs, SLCC on compliance and on individual access requests etc. This is much greater support that other organisations/charities/businesses will have access to, which is why you are members or subscribe to these services and as such can meet the requirements.

  1. Adequate time to perform DPO role

The Council will need to budget in order to take measures that will bring the Council into compliance. LCPAS have already provided relevant privacy notices and consent forms free to our subscribers or for purchase on our website £30.00, we will be providing shortly a template for undertaking Personal Information Audits including a data audit and risk assessment form.

We believe that once the initial work has been completed ongoing associated work can be managed or extra hours attributed as and when necessary.   

We have also identified relevant IT security measures that will cost very little to implement and we will be providing a Data Protection briefing shortly.

As a result of the ICO advice and the advice on the ICO website regarding Article 29 Working Group advice, LCPAS will continue to support Clerks (and Councils) who wish to undertake the DPO role. Unless the ICO change their advice in the future:  https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/