Private channels subject to Freedom of Information

by Nicola Taylor, Data Protection Officer

The pandemic has changed how we work and how we communicate with each other. Notably, the use of private channels of communication has increased enormously which raises the question, where do these channels fit in terms of the current information and data regulations?

In short, any information that exists within private correspondence if relevant to a request for information, is subject to the Freedom of information Act and is considered to be held by the authority.

We recognise the benefits that the use of private channels offers, though we must ensure that information is being handled securely and according to the law.

Without an IT department to hold backups or apply data protection rules, when an FOI request is made it is easy for information in private accounts to be forgotten, overlooked or auto-deleted.  So it is important that we remain vigilant.

It is worth remembering that it is considered a criminal offence to erase, destroy, or conceal information with the intention of preventing disclosure after a request is received.

Example of private channels that could be subject to FOI include:

-Private email accounts
-Apps with a direct message facility e.g. Twitter and Facebook Messenger
-Text messages and voice recordings on mobile phones.

Where possible the use of these channels should be avoided in favour of official council options.  However if they are used for any reason, you should consider recording the use and transferring the communication to the council systems as soon as possible to reduce the chance of the information being lost.

If you need any Information Governance advice, please drop Nicola an email at

Getting the Hang of Data Protection

by Rebecca Elliott, Solicitor

For a long time I have found that very few people really understand the implications and requirements of Data Protection Legislation and simply add it in to agreements because they have to.

This week after some work with our Data Protection Officer, Nicola, it finally clicked into place for me as to exactly why we are insisting on the certain requirements in, what seems like, everything  we do.

And the answer… well its really just common sense so I wanted to share this.

Data Protection in the context of the Data Protection Act 2018 relates to personal data, so anything that identifies a person e.g. name, address, date of birth, address, email address.

When this is collected from someone that person will be aware of the reasons they are providing the information (or at least they should be).  For example, they are signing up for a course and need to provide their email address so that course materials can be sent over or their phone number so that if there is a change of venue this can be communicated.

It is not necessary to go into this level of detail so long as the person providing the data knows that it will be used to facilitate the course they are signing up to.

Further, it might not be appropriate to go through this sort of detail in a phone call or enquiry email so the person (the data subject) can be referred to a Privacy Statement.

Privacy statements are documents that explain exactly how data will be used and how long it will be kept for.  This might include if the information is going to be passed on to third parties.  These are often found on an organisations website as links can easily be provided.

So, carrying on with the example of signing up for a course, the person or the organisation providing the course may not be doing this themselves, they may be using an independent 3rd party expert to present the course.  It may therefore be necessary for participant’s names, email addresses and contact numbers to be passed on.  And this is fine, as long as the data subject was aware of this at the time they gave their details.

The third party will then become either a Data Processor or a Data Controller in their own right of that data.

A Data Processor only uses the data as specifically told.  For example if they are told that they can email out course materials then they can but they should not use the email address for any other purposes e.g. requesting feedback on the course.

If however you do wish to pass the discretion to use the personal data as they see fit then that third party will become a data controller.  They send whatever they see fit to the email addresses without your direct say so.

As a Data Controller the third party must ensure that they abide by the Data Protection Legislation and will be liable in their own right for any data breaches.  Just because they have the discretion to use the data as they see fit, it must still be compliant with the data protection legislation.

However, again, if you are passing on Data to a third party to act as a Data Controller you must have made the data subject aware that you would be doing this when you collect their Data.  This reinforces the need for a comprehensive and robust privacy statement.

So whenever you are going to be collecting and handling people’s personal data always think carefully about why and how you wish to use this data and make sure the correct safeguards are in place.  Data Protection Legislation is not in place to make life difficult nor discourage the use and sharing of data, rather to make sure it is handled in the right way whenever it is used or shared.

If you have any questions about Data Protection do not hesitate to contact our Data Protection Officer on