Assurances made over GDPR claims

editorial image

Concerns have been raised on whether East Renfrewshire Council’s website failed the General Data Protection Regulation (GDPR) compliance tests.

It is claimed that the local authority’s main website and the URL for the leisure centre consultation failed the GDPR compliance tests – six days after the new GDPR law came into force.

Independent councillor David Macdonald was handed the results of two General Data Protection Regulation (GDPR) compliance tests in May and June.

The tests, carried out by an IT expert in Mr Macdonald’s constituency, found that the council had collected sensitive data through online tracking using a web address that was not GDPR compliant.

Cllr David Macdonald said: “On the last day of May 2018 I was contacted by a constituent who is an IT expert who notified me that he ran a GDPR test for online tracking on both East Renfrewshire Council’s main website and also the URL for the leisure centre consultation, getinvolved.eastrenfrewshire.gov.uk and he presented me with evidence of the reports.

“In both reports it showed that the council’s main website and also the URL for the leisure centre failed the GDPR compliance tests.

“My initial reaction was one of shock. Not only was the council in violation of the new law, they were conducting an online consultation that collected sensitive data through online tracking using a URL that was not GDPR compliant.

“At this stage, the entire consultation should have been immediately suspended.

“It is very unfortunate that East renfrewshire Council failed to meet the legal requirement by the GDPR deadline of the 25th of May 2018 given the ample period of time for preparation for such a change.”

The council’s head of ICT and Digital Enablement, Murray Husband, admitted the new data protection rules had been applied on a prioritised basis.

He said: “The council undertook an extensive organisation-wide programme of activity to meet the requirements of GDPR by May 25, 2018.

“Given the breadth and depth of work required to meet GDPR for a complex organisation such as East Renfrewshire Council, priority was rightly placed on those areas of greatest need and highest risk for our staff and customers.

“With regard sto the areas highlighted, which relate to the capture of information through cookies on websites, our interpretation at the time was that the existing approach was sufficient for the initial period and would get further focus following more critical items.”

Under the new GDPR rules councils could face up to £17.4m in fines for the most serious breaches.

Cllr Macdonald now claims that the online public consultation that has been conducted in violation of the law.

He continued: “Members of the public were exposing with relative ease that the council was not compliant and were sharing the evidence on social media pages quite easily on pages pertaining to the Leisure Centre.

“I found it very regrettable that East Renfrewshire Council was in violation of the very law that they were telling all their employees at the same time they had to be compliant with. It was case of do as I say and not do as I do.

“I appreciate that GDPR is complex and my own opinion is that the whole consultation was not well thought out from the outset, although the intentions to bring in enhanced data protection might have been beneficial.”

An East Renfrewshire Council spokesman said: “At the time of the consultation the website used was – and remains – GDPR compliant. This is also the case for the Council’s website.

“The online consultation tool is used by the UK Government and a wide range of government agencies across the UK.

“As the Head the ICT confirmed in the email to Councillor Macdonald of June 6, the Council’s configuration was sufficient to be GDPR compliant.

“The ICO and industry-best practice in relation to GDPR was, and is, evolving and the Head of ICT had always planned follow-up work to keep pace with industry-best practices.

“The consultation results, which attracted one of the highest ever responses, remain valid and, as was agreed at the council meeting, a further paper regarding potential sites for a new leisure centre will be brought before councillors in due course.”