GDPR and Resident Data FAQ: Local Government Data Protection Questions Answered
GDPR compliance in local government involves complex questions about legal bases for processing, special category data, data sharing with partner organisations, and responding to the ICO. This FAQ addresses the questions councils most frequently ask about resident data protection.
Local authorities are among the highest-reporting sectors for data breaches to the ICO — most failures involve preventable gaps in process and technical controls.
GDPR Basics for Local Government
Local councils are data controllers under UK GDPR — responsible for how they collect, store, use, and share personal data about residents and staff. As public authorities, councils must appoint a Data Protection Officer, maintain processing records, and implement appropriate security measures proportionate to the data they hold.
Frequently Asked Questions
What legal basis do councils use to process resident personal data?
Councils process resident data under multiple legal bases: public task (Article 6(1)(e)) is the most common for service delivery functions — housing, planning, council tax, social care. Legal obligation applies where statute requires the council to process data. Consent is rarely appropriate for core council functions — residents cannot meaningfully withhold consent for processing necessary to deliver statutory services.
How should councils handle Subject Access Requests?
Councils must respond to SARs within one calendar month of receipt. The response must include all personal data held about the requester across all council systems. Implement a central SAR register with assigned ownership, clear escalation procedures for complex requests, and template responses. Many councils use SAR management software to track and manage requests.
What counts as a personal data breach that must be reported to the ICO?
A personal data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Not every breach must be reported to the ICO — only those likely to result in a risk to individuals' rights and freedoms. However, councils should err on the side of reporting — the ICO takes a more serious view of late reports than of reports that turn out not to require action.
Can councils share resident data with the NHS and other public bodies?
Data sharing with the NHS and other public bodies requires a lawful basis, appropriate documentation, and — for large-scale systematic sharing — a Data Sharing Agreement. The council and receiving organisation must each have an appropriate legal basis for the processing. Ad-hoc data sharing without a formal agreement is a common source of GDPR failures in local government.
How long can councils keep resident personal data?
The retention period for resident data depends on the type of data and the purpose it was collected for. The LGA and IRMS publish retention schedules for common local government record types. Councils should adopt formal retention schedules and implement processes to delete data when retention periods expire — retaining data indefinitely is a GDPR failure.
Get GDPR support for your local authority
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.