Governance and Policies
GDPR
A parish council's primary obligation under UK GDPR is to act as a Data Controller, meaning it is legally responsible for any personal data it collects, stores, or processes. This includes information about residents, staff, and councillors, such as names, email addresses, and phone numbers.
Core Legal Obligations
- Register with the ICO: Councils must register as a data controller with the Information Commissioner’s Office (ICO) and pay the annual data protection fee.
- Identify Lawful Basis: Under the UK GDPR, th ecounicl must identify and document the lawful bases before they can process personal data.
- Appoint Responsibilities: While the Data Protection Act 2018 clarified that parish councils are not technically required to appoint a formal Data Protection Officer (DPO), they must still ensure they have sufficient resources to manage compliance.
- Maintain Privacy Notices: Councils must publish a clear, accessible privacy notice on their website explaining what data is collected and why.
