Over the last few months (and since attending my local Parish Council meetings) it has become apparent that some of our Parish and Town Councils are disregarding the requirements of UK GDPR.
Though this is a generalisation and some councils are probably better than others, some parish councils and town councils that do not have a dedicated IT function could simply be ignorant of what is required. Even those that know what they should be doing are unlikely to have the knowledge of how to do it or the resource to action it.
I have come to this conclusion because several of my local Parish and Town councils seem to be laissez-faire with how they handle email mailboxes. They look to be very much ‘hands off’. The Clerks seem to have set up an email account on their own and councillors seem to have done the same. There is no ill will in this approach but the lack of oversight and centralised management of these mailboxes means any personal data that route through them is at risk and is probably not being stored or handled in accordance with UK GDPR.
While councils have a legal and moral obligation to ‘do things properly’, some of them probably haven’t even thought about it.
What’s the problem?
Off the top of my head, here are some of the issues that need addressing:
1 – Many Councils might register a domain name such as villagenamepc.org.uk or thisisaverylongnameforawebsiteparishcouncil.co.uk. There are a few problems with this. First – who has control of that domain name? If the person that registered that domain name is for some reason no longer available to help (disasters happen) there may be problems regaining control. Second – will the person that registered the domain have the skills and experience to set up and manage email mailboxes using that domain name? This is doubtful. What if the Clerk ceases to be a Clerk and does not bother to pay for renewing the domain name and the new Clerk doesn’t know how to take it over? What if the Clerk takes it upon themselves to set up mailboxes and has access to Councillors mailboxes without their knowledge? These are disasters waiting to happen.
2 – There is literally nothing to stop anybody setting up a new email address and even a new domain name and pretending they are a Councillor. I could go and register any domain name ending …parishcouncil.org.uk – put clerk@ or councillorsmith@ in front of it and set up a web site – I can pretend to be running the local Council!
3 – Even where Councillors do set up an email address using a platform such as Google Mail or Microsoft Outlook there are problems. Councillor Fred Smith might be very well meaning when he sets up a new email account cllrfredsmith@gooooglemail.com or whatever – but will he set up a strong password? Will he let his teenage grandchildren use his computer to play games when they inadvertently open private emails from parishioners bemoaning the dog mess on the playing field or complaining about speeding in the village? What will happen to the personal data in that mailbox when Fred is no longer a Councillor? Is this approach UK GDPR complaint? You bet it isn’t.
These issues don’t even address the threat that spam and virus can present to council staff or citizens, lets ignore them for now. Lets also ignore the difficulties the Clerk would have if he or she was faced with a data access request from a citizen. There are dozens of reasons why local councils might need a reality check. The legislation might be a pain in the backside but it is there to be adhered to and so it ‘s time for councils to step up and do IT properly.
Can Parish Councillors refuse to use a .gov.uk email address?
A Parish Councillor probably can refuse to correspond by means of a dedicated .gov.uk email address provided by the council… however it is equally reasonable for a Parish Council to vote on and implement an IT policy in which it states council business should (in the interests of best practice) be conducted using a dedicated .gov.uk email address provided by the Parish Council. A stalemate like this is unlikely to last; a reluctant Councillor that does not want to adhere to best practice and who does not receive council is likely to be embarrassed into doing the right thing eventually. There are certainly no valid technical reasons for refusing to use an address that cannot be overcome.
What to do about it?
It is quite likely that larger town councils have addressed this issue. They are likely to have registered domains ending in .gov.uk (which are restricted and issued by a team in the Cabinet Office) and are also likely to have specialist IT support that can help manage mailboxes, but smaller councils with limited time, knowledge and budgets need a relevant package of services supported by people that know what they are doing. For these reasons, we have now decided to directly offer a package of services to local councils:
For a fixed monthly fee our baseline package will include:
- Guidance in registering a domain name ending in .gov.uk
- A web site hosting package so the council has a web site ending in that same .gov.uk domain name.
- An email hosting platform where all email addresses carry the same .gov.uk domain name.
- Professional oversight in setting up the mailboxes in a secure way.
- Correct provisioning and decommissioning of mailboxes as clerks and council members come and go.
- Sample policies that encourage best practice for computer security on systems used by the Clerk and Councillors.
Optional extras will include:
- Web site design and support services where Clerks are unable to do this themselves.
- Ongoing IT support and maintenance services where appropriate.
- Centralised hosting for council data or oversight on backup services.
Who should deliver the service?
If we agree that councils have an obligation to support their local economy then one of the worst things that councils can do is place their business for these services directly with large US corporations. Supporting UK based businesses is good for society and good for the community. Even without this moral imperative if you place your data online without understanding where it is stored, backed up or managed then you could be contravening UK GDPR without realising it.
Where does IT Norwich Ltd fit?
We already support some local government and Parish and Town Councils in Norfolk loosely fit into our ‘non-profit’ category and so could qualify for our Community Technology Programme. With over 25 years experience delivering domain names, web hosting, email hosting and management services, we’re very well placed to help.
The Evidence
It’s not hard to find your local parish council web site. Take a look at it. Does the domain end in .gov.uk? Do all of the email addresses for the Clerk and Councillors also end in .gov.uk? This is a rough yardstick as to how a councils data is managed.
- In North Norfolk we have identified that out of 87 Parish and Town Councils, there are only five where the Clerk has an email address ending in .gov.uk – or about 5.7%
- In Broadland we have identified that out of 63 Parish and Town Councils, there are only five where the Clerk has an email address ending in .gov.uk – or about 7.9%
There is a lot of work to do – but if your council needs our help please start the ball rolling by calling us on 01603 554000.