Local councils under fire over data accuracy failings

Just weeks after the first High Court action was launched over a company’s failure to keep accurate personal data, local authorities are putting themselves at risk of similar legal threats with only about one in ten (12%) keeping residents’ personal data up to date and accurate.

The Software Bureau, the company behind Clean Contacts, sent out a Freedom of Information request to all UK councils in August, asking how they maintained personal data, particularly pertaining to home movers and people who have passed away.

The legislation, which falls under Article 5 of UK GDPR, Principles Relating to Processing of Personal Data, is a key tenet of the regulation.

In response, 12% of councils admitted they do not keep their data up to date and do not have any processes in place to clean or delete data, while 20% only provided a vague affirmative that they had a process to keep records clean but did not specify what this was or how regularly the data was updated.

Meanwhile, over a quarter of councils (28%) admitted they only updated their information when informed by a constituent that they had moved house or that a family member had passed away.

Some 15% of local authorities requested clarification as to what was meant by “data accuracy” or “consumer data”, despite the question using the explicit wording given in GDPR Article 5.

Some 13% of councils refused the request on the basis that it would be too costly and time consuming to respond, while one council located in the South West of England responded that “we do clean our data if we are aware of individuals who have either passed away or have moved house”.

Another local authority in Wales confirmed that “we do hold the data you are requesting. However, this information is exempt from disclosure under Section 21 of the Freedom of Information Act (FoIA), as it is already reasonably accessible to you”, citing its online retention schedule. The link, however, was inactive.

Finally, one council in the East of England responded: “We rely on information updates from residents in order to keep our data up to date. Whenever we receive information we update databases to that effect. This an ongoing process rather than a regular scheduled update.”

Other interesting responses included one council which believed that it “does not hold any data” and another that has “ongoing procedures in place to ensure that the information it holds is accurate and up to date, in accordance with the Data Protection Act 1998”. (This was superseded by the Data Protection Act 2018, and supplements UK GDPR.)

Clean Contacts head of sales and marketing Ben Warren said: “Data hygiene is a clear part of GDPR and by failing to have specific and regular processes in place to keep data accurate and up-to-date, many councils in the UK are not compliant with the current data protection law.

“The fact that only 12% believe they are compliant shows that more education and work is needed by the public sector. The irony is that is has never been easier, or cheaper to keep data clean.”

The results of the survey follow Government plans to give local authorities increased access to public data during the pandemic; a move the DMA warned could sacrifice data privacy measures and lead to an increase in data breaches.