Why does West Wratting Parish Council need to worry about data protection?
As part of its work West Wratting Parish Council and particularly its Clerk come into contact with information about individuals. As such the council and individual councilors are subject to data protection legislation. On 25th May 2018 the Data Protection Act (1998) was replaced by a Europe-wide law called the General Data Protection Regulation (GDPR), which includes the Data Protection Act 2018 (DPA 2018). The GDPR sets out requirements for how organizations like Parish Councils need to handle personal data.
All parish councilors and the clerk must abide by the regulations on data protection. If we do then it means that:
- We know what personal data we hold and why we need it.
- We carefully consider and can justify how long we keep personal data.
- We regularly review our information and erase or anonymise personal data when we no longer need it.
- We have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten’.
- We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.
These matters are considered in West Wratting Parish Council’s IT policy and data retention policy.
Under the GDPR, the Parish Council is both a Data Controller and a Data Processor. As a Data Controller, we must provide Privacy Notices explaining to individuals how their data will be used and what rights they have. These Privacy Notices may be viewed in the document table below.
Data Protection Officer
Section 7(3) of the DPA 2018 says that Parish Councils are not public authorities for the purposes of the GDPR, so WWPC does not need to appoint a Data Protection Officer (DPO). This is reiterated in the Practitioners’ Guide 2025 (see the addendum to section 5.124 on the first page). However, we are still subject to data protection legislation and we must ensure that we have sufficient understanding and resources to discharge our obligations under the GDPR. Consequently our Clerk has been appointed as at our CPO.
Information Commissioner’s Office (ICO)
The Parish Council is registered as a Data Controller with the ICO. Our reference number is Z1387439. Our details can be seen on the public register here and in our registration entry details documents below.
Security under the GDPR
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
The Parish Council carried out an assessment to identify what data is held, how and why it is collected, and how the data is protected. We also carried out a GDPR risk assessment to identify how any risk to the security of personal data is managed. These documents informed our IT policy and the Data Retention Policy, both of which will be reviewed regularly.