Later this month, new General Data Protection Regulations replace the 1998 Data Protection Act. This legislation is of EU origin but the government says it will apply despite Brexit. It is being portrayed as a way of putting people (‘data subjects’) in control of their data (any piece of information which could identify them).
All organisations (‘data controllers’) are – or should be – cleansing their databases so that after May 25 they hold details only for those ‘data subjects’ who have consented to them doing so, or for whom they have a legally justifiable reason to hold that information.
The new rules will be enforced by the Information Commissioner, whose department is funded by the fees paid by registered ‘data controllers’, and who is empowered to fine anybody who fails to comply with a law which quite frankly resembles a dog’s dinner.
As everybody is a data subject, the new rules affect us all to varying degrees, whether it is my off-line mother filling in and posting forms to re-subscribe to numerous charities, publishing houses and mail order companies; my data subject son whose ‘data processor’ teachers have been told to hand out classroom test results in sealed envelopes; busy me, clicking on email links to re-subscribe to organisations to which I gave my details in the past. Needless to say, I have not been contacted by any organisation which obtained my details without my consent. It would be extremely naïve to imagine that people who were unscrupulous in the past are going to develop a conscience by May 25 and delete all such data.
As well as being a private data subject, I am clerk to two small parish councils, one with six councillors and fewer than 300 electors, the other with seven councillors and fewer than 400 electors. Further to the many paper briefings I have received concerning GDPR, and a long telephone call to the Information Commissioner’s Office (ICO) helpline in January, I have attended two training sessions. I was relieved to discover that I was certainly not the only clerk to think these new regulations totally inappropriate for small parish councils, not only due to our size, but due to our very structure and raison d’etre.
Only somebody totally disconnected from reality could pretend that regulations for global corporations could be applied just as simply and fairly to parish councils; this was confirmed by the people manning the ICO helpline who had no idea what a parish council is, what it does or whom it serves. Central government, having grown to an obscene size itself, has failed to grasp the microscopic size of parish councils. The ICO seems incapable of grasping the concept of employing just one person for only 2.5 hours per week; incapable of grasping the concept of an organisation so tiny that it does not outsource its data processing.
Parish councillors are the voluntary, unpaid conscientious backbone of this nation and its grassroots democratic institutions, and it is unjust and unfair to tar them with the same brush as self-serving business people; GDPR makes no distinction between those who do good and those who make money.
In addition, the continental habit of top-down proactive regulations is at odds with the British habit of reactive law and so is unsuitable for British institutions. The regulations are based on the assumption that ‘data subjects’ are stupid, that ‘data processors’ are irresponsible and that ‘data controllers’ are wicked, none of which is in accordance with the British presumption of innocence.
I think of myself as a reasonably intelligent person but much of the new regulations are gobbledygook – classic EU-style ‘’let’s-confuse-everyone-so-nobody-knows what-the law-says-any-more’. I am not a betting lady but if I were, I would put my money on not a single other European country spending hours and hours in seminars as we have done, discussing how to obey these regulations.
GDPR sits uncomfortably alongside the concept of transparency. History will no longer be made for future generations to discover, as meeting minutes are depersonalised, contact details for human beings are consigned to the dustbin, data is deleted and individuals hide behind their official personae and their official email addresses. Official records will contain nothing but the trite, the banal and the inoffensive. And if one must first gain consent to contact a data subject, how does one contact a prospective data subject in order to gain that consent?
Besides the extra administrative work, who will pay all these fees? My county council has 98 councillors, each of whom have registered and provided £35 for the ICO kitty. This £3,430 has come out of the council budget and therefore from council tax-payers, who will now be called upon to cough up for parish council registration fees, unless, of course, parish councillors pay up individually. I take it the government is happy that the role of parish councillor will then be open only to those who can afford to pay the fee? That people should be debarred from doing good because they have to make a choice between the next pair of school shoes or a fee to become ‘involved in public life’, as the government is so keen about. Let us at least be honest and stop calling it a registration fee; it is a tax on doing good and a tax on communication, that most basic human activity and a necessity for civilisation.
It is tempting to think that having failed to obtain as much data, and as much money, as it would have liked through voluntary registration, compulsory registration is intended to give the government the legal justification to hold a massively increased amount of data. In fact, the only organisation in the entire country which will legally increase the data it holds after May 25 is the ICO: in other words, the state.
Who regulates the regulator? Let us not deceive ourselves into thinking that the ICO is an independent and infallible body. Please explain to me how a 21st century Western European commissioner with a register differs from a 20th century Eastern European commissar with a register. Registers are for wrong-doers or for people who are controlled – not for law-abiding, free adults who govern their own lives.
GDPR is the most unpalatable, sinister legislation and underhand taxation I have come across in a long time and it should be a ‘John Hampden’ moment for the nation.