2025 saw a significant number of data incidents involving local authorities. These included alleged unlawful distribution of personal data relating to children, including their home addresses to the unlawful publication of consultation respondents online.
ICO complaints data shows that local government is among the top three sectors receiving the highest numbers of complaints. Given the relatively small number of local authorities compared against the number of possible private sector organisations in the same group, this indicates that local government receive a disproportionately high share of complaints overall.
Within this period, approximately 40% of complaints required informal action to be taken. From our experience, this typically involves unplanned internal resource to triage and investigate the issue, implement immediate risk mitigation, discussions between key stakeholders and ongoing engagement with the ICO. It can also carry direct and indirect cost implications (including external support and remediation work) and reputational impact, particularly where matters attract public or media attention.
Despite this clear drain to public resources (not only from the local body perspective, but from the regulatory oversight perspective), I feel that local government bodies are frequently left without the level of support and guidance needed to meet their data protection obligations. In this article, I hope to help with this by giving you some explorative questions to ask.
Firstly, Why is it Important?
The Information Commissioners has published multiple case studies relating to local government over the years. Most recently, a case study on Westmoreland and Furness Council showed that strengthening FOI and EIR compliance processing internally resulted to a 93.9% compliance rate. The ICO’s intervention was reported to have“improved morale within the IG team, because it increased the focus on their workload, which in turn ensured they were given the right amount of attention and support”.
However, local government needn’t wait for crises or an ICO Practice Recommendation to make such impactful change. We have worked with numerous local government bodies to ensure intervention occurs early. You can ask the hard questions now and make a start on your compliance improvement journey.
Key Areas of Non-compliance
1.Right of access, copies of data and data-sourcing
This is a dominant issue and represents a very high proportion of all local government complaints. This is unsurprising given it is the most widely known data right from a public awareness perspective. Questions to ask here are:
- Are we routinely able to recognise these rights requests?
- Do we have an effective triage and time recording process?
- Do you have a search structure or plan?
- Are you familiar with lawful exemptions?
- Is any element of the process standardised?
2.Lawfulness, fairness and transparency (including consent)
This second most common issue which covers whether a local government can and should use the personal data. It also covers whether a person knows why the organisation can and should use the data. Questions to ask here are:
- Have you documented your lawful bases, and where applicable, conditions for processing data?
- Do your policies reflect your current practices?
- Do you have strict rules around obtaining consent (and using data collected under consent?)
- Do you have rules around how data is re-used?
3.Integrity, confidentiality and processes
- Does everyone know their role, particularly if a breach were to occur?
- Do you know what your legal obligations (and regulatory obligations) are?
- Have you put your processes to the test recently?
- Does your system support confidentiality?
- Do you risk assess?
- Do you learn from experience and action remedials promptly?
If your answer is no to this non-exhaustive list, you may have just highlighted a gap requiring attention.
To address that gap, local government bodies can turn to the Information Commissioner Guidance, National Association of Local Councils, Local Government Association who over general guidance. However, for tailored compliance advice, including interactive training courses, our team are on hand to ensure your current gaps do not result in future complaints or incidents.
For more information on data protection and privacy, please visit our Data Protection team’s INFO Hub here.