Empty Homes Network

Home » Forums » Other Issues » FOI, data protection etc

Working with Community Groups - Identifying Long Term Empties

Submitted by D.C.Millican on 16 February, 2012 - 09:39

Under the Community Grant Programme there seems to be an assumption that LAs will provide information to community groups on long term empties owned by individuals.But, this could breach the Data Protection Act ( Bexley?). If  a Community Group was acting as a LA's agent to do empty property work , could we share information within the DPA?

 

Carson Millican

‹ Freedom of info requests - empty lists Camden FOI decision ›
Forums

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Are they your agents?

Submitted by David Gibbens on 23 February, 2012 - 10:12.

Hi Carson

First, a basic principle.  The DPA defines Data Controllers and Data Processors.  The Council will be the Data Controller in the case you describe.  A Data Processor is a third party organisation that processes the data on behalf of the Data Controller.  This is considered a normal arrangement under the Data Protection Act.  If it were not the case, then organisations like Capita or Liberata would not be able to process Housing Benefit or Council Tax on behalf of Councils.  The Data Controller does not need to get the permission of the Data Subject in order to use a third party Data Processor.  it's worth pausing a moment  to reflect on these points.

When passing information on to a third party Data Processor, there are two key points to bear in mind:

  • the Data Controller is using the Data Processor as an agent: the Data Processor should only be able to do things with the data that the Data Controller themselves could do
  • in order to use a Data Processor, the Data Controller must satisfy themselves that the Data Processor will take the same sorts of precautions that the Data Controller would take and as would be required under the Data Protection Act  to protect the data privacy of the individuals concerned.

So in practice, where a Council wants to work in partnership with a community group they should ensure that:

  • whatever the community group does with the information given to it is the same as what the Council itself could have done with the information
  • the relationship between the two organisations is made explicit in a partnership agreement/Service Level Agreement and in particular the scope of what the third party organisation can do with the information given to it is made clear
  • there are explicit standards about the handling of the data including how long it could be retained by the third party and how they should secure and dispose of it

I don't think the Service Level Agreement needs to be that big a deal, it is just a question of grasping the nettle and producing something.  The other big issues are the source of the information you have got and whether the consent of the individual concerned was obtained or implied or needed in order to act on the data (ie to process it).  But going back to the original point - if the Councilcan do it, then so can its third party Data Processor.

 

David Gibbens (EHN Policy and Support)