Hi Derek
In response to the query, Does it make any difference if an elected member carries out this work via a private email account (i.e. gmail.com) as opposed to using their council (@-------.gov.uk) provided one? I would say yes, due to a number or factors
1. The data subjects need to be aware of any recipients of their personal data – in this scenario Gmail would be a 3rd party processor and recipient of that personal data, this would most likely need to be reflected in a privacy notice. The controller would also need to be satisfied of the measures (organisational, technical, etc) with whatever solution they use.
2. The data subjects need to be aware of the transfer personal data to a third country or international organisation – many private email providers will not necessarily be located within the EU, and as such a privacy notice would need to state this.
3. Retention – the data subject needs to be aware of how long their information will be stored – it's possible this could be affected using personal email.
I’d probably suggest, however (in the event of such a scenario) that, rather than having two privacy notices, an elected member sticks with one and just details the fact that they may also process information through a private email account. Realistically though, I’d advise that this route be avoided in general as, it opens up potential risks and, even if they’re data controller’s in their own right, there’s still a risk of reputational damage to the body they’re associated with.
In addition, as suggested in the original query, ‘ organisational’ business related emails would be subject FOI/EIR even if sent through a private account and *all* communications concerning private individuals’ personal data would be subject to the various information rights under the GDPR (SAR etc).
We are about to roll out online IG training for our Elected Members which covers a range of IG scenarios which a councillor may face and need to be aware of under their different roles (constituency role, council role and political member role), a generic version (non-Leeds specific version) of this training will be available mid-December, do let me know if this would be of interest.
Thanks
Sandip Ghattaure
Information Governance Officer
Information Management and Governance
Digital and Information Service
Leeds City Council
t: 0113 3784575
e: [log in to unmask]
https://www.leeds.gov.uk/opendata/ig-solutions
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Derek O'Connor
Sent: 23 November 2018 11:14
To: [log in to unmask]
Subject: [data-protection] Elected Members Private Email Accounts
When/if an elected member acts on behalf of themselves in their ward they assume the role of data controller for the processing of constituent personal data, even though they may utilise council resources (i.e. laptop, ipad etc) when doing so.
Does it make any difference if an elected member carries out this work via a private email account (i.e. gmail.com) as opposed to using their council (@-------.gov.uk) provided one? I am trying to determine whether or not they need a separate privacy notice in addition to the generic council one I have written on their behalf, or whether they can rely on the same one because the purpose/s of the processing remains the same?
Although I know this was FOI related, but I am thinking back to the Michael Gove/Mrs Blurt scenario when it was decreed that it wasn't the platform used, but more the content/purpose that dictated?
Would welcome all views.
Regards
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
________________________________________________________________________
The information in this email (and any attachment) may be for the
intended recipient only. If you know you are not the intended recipient,
please do not use or disclose the information in any way and please
delete this email (and any attachment) from your system.
The Council does not accept service of legal documents by e-mail.
________________________________________________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|