Parish Council GDPR Compliance: 3 Failures the ICO Keeps Finding

The ICO engaged with more than 50 town and parish councils to understand how they handle personal data. Three problems came up again and again. If your council has any of these, you are exposed — not theoretically, but in ways the ICO has specifically identified and documented.

Failure 1: Personal email and devices for council business

This is the issue the ICO flags most consistently. Councillors using personal Gmail or Outlook accounts for council correspondence. The clerk storing council data on a personal laptop. Planning consultations forwarded to personal phones.

The problem is not convenience — it is control. As the data controller, the council must ensure that all processing of personal data under its control remains compliant regardless of which device is used. When a councillor handles a resident's complaint via personal email, the council has no visibility of that data, no ability to respond to a subject access request for it, and no way to delete it when the councillor leaves.

What to do:

1. Move all council correspondence to email addresses on a council-owned domain (this is also an Assertion 10 requirement)
2. If councillors must use personal devices, set clear rules: access council data only via cloud systems, never download to personal storage, notify the clerk immediately if a device is lost or stolen
3. When someone leaves their council role, confirm in writing that all council data has been removed from their personal devices
4. Use our free IT Policy Generator to create a policy covering device and email use

The ICO published a fact sheet for parish councils on personal device use — worth reading alongside your IT policy.

Failure 2: Keeping data "just in case"

Councils accumulate data over years — planning correspondence, complaint records, old electoral roll copies, employment records for clerks who left a decade ago. The instinct is to keep everything in case it is needed later. The ICO's finding: this is not a valid legal basis for retention.

Under the Data Protection Act 2018, personal data must be kept only for as long as necessary for the purpose it was collected. "Necessary" means there is a genuine, current reason — not a speculative future use.

What to do:

1. Create a data retention schedule. For each category of data (planning, finance, HR, complaints, minutes), set a retention period based on the legal requirement or practical need
2. Minutes and formal records: keep permanently — these are public documents
3. Financial records: 6 years plus the current year (HMRC requirement)
4. Employment records: 6 years after the person leaves
5. Planning consultation responses: retain for the life of the planning application plus 3 years
6. Complaint correspondence: 3 years from resolution (or longer if there is an ongoing legal issue)
7. Review annually and delete what has passed its retention period. When clerks change, this is the moment data accumulates — the new clerk inherits everything and deletes nothing

Failure 3: Data sharing confusion

Parish councils share data with other organisations regularly — billing authorities, principal authorities, leisure centre operators, allotment associations, burial ground contractors. The ICO found that councils are often unsure whether they have a legal basis to share, and default to either sharing too much or refusing to share at all.

The most common confusion: publishing names in council minutes. Councils are unsure whether naming residents who spoke at public meetings, submitted planning objections, or raised complaints is permitted.

The general principle: if a person has engaged with the council in a public capacity (speaking at a public meeting, submitting a planning objection that is a public document), recording their name in the minutes is normally lawful under the public task basis. But if a person has contacted the council privately (a complaint, a personal request), their name should not appear in public minutes without consent.

What to do:

1. Before sharing data with any third party, identify your legal basis (public task, legal obligation, legitimate interest, or consent)
2. For minutes: record the name of anyone who spoke at a public meeting or submitted a public representation. Redact names from private correspondence discussed in council
3. For contracts with external service providers (ground maintenance, leisure centres, website hosts), include a data processing agreement specifying what data they access and how they handle it
4. If unsure, the ICO's guidance for small organisations covers data sharing principles in plain language

Your GDPR compliance basics

Beyond the three failures above, here is what every parish council needs as a minimum:

• Privacy notice on the council website — explaining what personal data the council collects, why, the legal basis, retention periods, and how to exercise data rights (access, erasure, objection). Review it annually. A privacy notice from 2018 that has never been updated is not compliant.
• Information asset register — a simple spreadsheet listing what personal data the council holds, where it is stored, who has access, and the retention period. This is the document you will need if the ICO asks questions.
• Subject access request process — know how to respond when someone asks for a copy of the personal data you hold about them. You have one calendar month. If you cannot locate the data because it is scattered across personal email accounts and laptops, you will miss the deadline.
• Breach response — if personal data is accidentally disclosed, lost, or accessed without authorisation, assess the risk. If there is a risk to individuals, report to the ICO within 72 hours. If you discover that a departing councillor has retained personal data on a personal device, that may constitute a breach.
• ICO fee — most parish councils must pay the annual data protection fee (currently £40 for tier 1 organisations). Check the ICO website for the current fee structure.

Use the free compliance checklist to self-assess your council's data protection compliance alongside every other AGAR requirement.

Sources

• Local Government Lawyer — ICO identifies three key GDPR compliance challenges for town and parish councils
• Data Protection Act 2018
• ICO — Advice for small organisations

This article is for general guidance only and does not constitute legal advice. For specific data protection questions, consult the ICO or a data protection practitioner.