Planning and the GDPR

I’ve been on a little voyage with the GDPR. Originally I argued that we needed to do a quick “heads up” on the key points for planners. There was (to be honest) a little bit of humming and aahing about whether planning was “special” enough to deserve something sector-specific, but then in the end it was agreed that we were. Just something “quick and dirty”, so off I went.

Thanks to lots of planners who asked me questions, thanks to the ICO and MHCLG, thanks to Umbreen and the ALBPO TS group, and thanks to Cheshire West & Chester we will be making something public in the next week or so that I hope will be a first step towards a practitioners guide. We can then evolve it as questions get addressed and we make joint decisions about how to behave in the grey areas.

For now, though, and in advance of the official, signed-off version I thought I’d give you my own thoughts on all this. 

A GDPR ‘heads up’ is not enough because current practice is patchy

It has been a long time since we first had a guide to making things available on-line from PARSOL. Many, many people have since left planning departments, and the people left have often been asked to make it up for themselves. Current practice is inconsistent and in several areas is very obviously wrong. Ask a group of councils how they publicise comments on planning applications and you will see what I mean.

The GDPR is an evolution on the basics of data protection, fraud protection and good practice around handling data for the provision of services. We cannot assume that everything else is OK and only worry about the new provisions because that is not the case in a sizable minority of councils.

Planning is (mostly) low risk, and there is not much here to really freak out about. But we can just make our collective lives easier if we all decide to act in the same way.

The ICO guidance notes are good

I hate reading guidance. I do it only when I really have to. The ICO guide to the GDPR is very well made, and I recommend that you invest the 90 minutes or so it takes to go through it because it provides the overview that you need to see all this in context.

This is particularly important in our case because …

The GDPR in your personal life is nothing to do with GDPR in your professional life

This is the biggest take-away for me in all this. Many of the questions I have been presented with only arise because of a basic conflation of the “consent” issues arising out of facebook, mailing lists and all the rest of it that we are involved in as consumers and the work of planning departments that we do as public servants.

Seriously, go and read that bit in the ICO guide about “public task“. When you are making plans, determining applications for development, adverts and listed buildings, receiving allegations of unauthorised development, checking with consultees about applications, the weekly list – ALL OF IT – you are working on the lawful basis of public task.

I would suggest that if you think you need the basis of consent then you should stop, and wonder why you are doing it.

When you have this straight many of the problems and potential hassle melt away. There are, as you might expect a couple of places where judgement is required. Having got personal details on the basis of public task, you have to remember that the basis cannot change unless you deliberately and knowingly change the basis. So …

  • After determining an application can you then ask people “How did we do ?” in a service improvement way? answer – “yes”
  • Can you direct market the work of your building control colleagues? Answer – “no”
  • Can you advise an applicant that there is often a statutory requirement to have works signed off by an inspector ? Answer – “yes”
  • Can you ask applicants for their consent to receive direct marketing and news from you ? Answer – “yes – but isn’t there a neater way of doing this?”

You need to pay attention to the few, not the many

I have spent quite a bit of time with the ICO and they are much nicer people than I thought they would be given how they treated poor old Basildon. They are also very pragmatic – and they can’t afford not to be. There are an eye-watering number of bits of information in the planning system, and if we were buttoned-up about the fact that there are applicants and neighbours and lots of other people involved we would never be able to make it work simply and transparently.

This, again, was an important take-away for me. You need to pay special attention to special category data. If unthinking monopolies treat vulnerable people badly and fail to guard their data properly it makes the ICO people see red. This is where your risk is.

You can manage this risk fairly easily by channeling those applications that may contain special category data (often, for us, applications with supporting statements detailing health conditions) to a sensible person. This person, who will be well-briefed on your privacy notice and just generally be wise, can take a view on whether to make it public or not. This is not rocket science and there are already similar versions of this approach for things like prisons and refuges.

Another important point – this responsibility to protect sensitive data applies retrospectively. I’m not sure how big a deal this is, but it is possible that whole case files have been scanned and just “thrown up” on the web including this sort of statement. Find and fix – this is not needles in haystacks because you know the sort of applications that are the highest risk.

Seriously if you get your management of sensitive data right you will be OK. When people say “What are we doing about GDPR ?” translate this into “Have we got our approach to special category data watertight ?”.

The work is not complete

There remain some grey areas in all this, so I can’t pretend that it has been entirely straightforward or indeed finished.

There are places when the DMPO, transparency regs and the GDPR pull in different directions. Also, and just as importantly, the e-planning culture that we’ve been exposed to for the last decade needs to be tempered slightly – we need to incorporate and ensure that our practise is consistent across all of these things.

In our little working party we have asked the ICO to come to a view about how we should behave when a public decision is made on the basis of sensitive information. It doesn’t feel right that we slap a super-injunction on ourselves and keep it entirely secret. It feels risky to expose the sensitive information – perhaps there is a middle ground where we share the fact that there is sensitive information but not exactly what it is. Who knows – the point is that we need a bit of clarity in this area.

It may also prompt MHCLG to look again at some of the regulations. This work has made me look not just at the DMPO but also advert regs and listed building regs too. Were we to take all of these things, written at quite different times, at face value we would have 4 or 5 different planning registers sharing slightly different things. This way madness lies.

What next for planning and GDPR ?

Managing expectations slightly, we are going to make a short practitioners note in more formal language that sets some of this out, and then we will invite your thoughts, questions and criticism. We will also as part of this try to make some sample documents – if you think you have a good “privacy notice” that you want a second opinion on please send it my way.

Before this, however, I would suggest some changes to the way you think and operate that you can begin right now:

  • We have been on an e-planning journey that was all about moving from paper to online. At the beginning of the journey we didn’t need to worry so much about retention and long-term information management. We do now. Data goes stale, and we need a simple way of clearing away things that don’t matter. Making whole case files public in perpetuity is unnecessary.
  • Check what you say you do, and work out whether you are organised to do it that way. It’s another thing that makes the nice ICO people cross. If you fail to follow your own rules you are starting a defence on the back foot.
  • Special category data. That is the 4th time I’ve said it.

 

 

 

 

Advertisements

6 thoughts on “Planning and the GDPR

  1. Hi

    Is it in order for a member of the public to raise a (rather lengthy) question on this topic or is this forum, perfectly reasonably if so, limited to the PAS team? Or perhaps is there anyone to whom I might email it?

    I have sent it to the central PAS email address in the interim so can do as I really should, which is wait…

    Best wishes, Tom

      • Thank you very much Richard. Well here goes…

        Apologies for the length, I am not good at succinct! Below is an extract from the email exchange I had with my local planning authority over their withdrawal of public comments made on planning applications from public view. I have since been made aware that this is a common (or potentially universal?) stance, so have removed the name of the council as it therefore ceases to be relevant and becomes a matter of general principal as opposed to that of a particular Council.

        My question to the Council was:

        “I noted you no longer display public comments on planning applications and was advised (when I called to point out there was a problem with the website so that the ‘expand’ button to reveal comment text was still there but no longer worked) this is “due to GDPR” and you will only reveal comments on request and after the consultation period. I believe this to be a misinterpretation of GDPR and moreover one which undermines the planning process. In my view it is imperative that public comments are available for all to see as they form an important part of the consultation process. Previously it was made absolutely clear to anyone making a comment that it and their name / address would be made public, thus already dealing with issue of transparency. Surely in the light of GDPR all you needed to do was to offer those making a comment the option of having it hidden? I could not see where or how this fitted into you privacy policy either which seems to contain no comment (or none that I could see) on planning. Apologies if I have missed something there. I disagree with what you have done and look forward to your response. It may be that there is a satisfactory explanation but if not I will then be able to consider how best to challenge it. Many thanks”

        The Council’s response was:

        “I can confirm that the Council use the ‘Public Access’ system which allows the public to post comments on a planning application online. Until recently these have then been available for anyone to view on our website, and there have been no restrictions or controls on what anyone might say. There have been a number of instances where inappropriate or personal information has been included. Unfortunately, with the new GDPR legislation, the Council is liable for any comments posted on its website.

        The advice we have had from the Planning Advisory Service is that, to comply with GDPR, comments should not be posted online unless they have first been vetted by us for any inappropriate or personal information. We have discussed how we might do this but at the moment it is not possible to read every comment the moment it comes in and to redact any personal / inappropriate information.

        The interim procedure we have put in place is that we will provide copies of the reps received to anyone that requires them, and we have developed a script that extracts the information in an emailable form. This is provided at the end of the consultation period, so we have all the comments, and they can be read and checked by the case officer. Inappropriate or personal information will be redacted before they are sent out.

        Removing the comments from public view is not just to protect the personal data of people who submit the comments, but the people they comment about.

        We are keeping this under review and if we can find a way to publish people’s comments without exposing the Council to possible breaches of the GDPR we will do so”

        I had a couple of observations on their text:

        “There have been a number of instances where inappropriate or personal information has been included. Unfortunately, with the new GDPR legislation, the Council is liable for any comments posted on its website”

        I am of course not an expert but this does not match my understanding of the GDPR. I still believe that sufficiently clear notice to anyone making a comment that their comments / address / name etc will be published would be enough for compliance. Or for certainty there could even be a default “only your name and the date of your comment will be published. If you wish your comment to be published in full click here” or something like that, so there is nothing beyond name and date published unless you ‘opt in’ to allowing it, which seems to be at the heart of GDPR. What if you WANT you comment published? The option is not even there. This is in fact how the matter came to my attention as a friend commented on an application intending that his comment would be read by the local Parish Council and other parties as he had a very particular point to make, but it remained hidden, giving only his name and date of submission, thus rendering it pointless.

        Then there is the comment:

        “The advice we have had from the Planning Advisory Service is that, to comply with GDPR, comments should not be posted online unless they have first been vetted by us for any inappropriate or personal information. We have discussed how we might do this but at the moment it is not possible to read every comment the moment it comes in and to redact any personal / inappropriate information”

        I would have thought if this is what the Council have been told they have an obligation to resource it and comply, not duck it by suggesting as it is difficult so they won’t do it at all? Would it not be a duty to publish the comments in a GDPR compliant way, even if it means a delay in the publishing, not just fail to publish them at all, and in so doing undermine an important part of the planning process?

        Given that the Council pointed their stance squarely at the Planning Advisory Service I have sent the exchange to the PAS central email address to check their interpretation of the PAS advice is, but saw your blog and wondered if it might be a useful supplementary place to float it.

        One final point. Surprise was expressed to me by the friend who observed this is a widespread /universal stance among Planning Authorities, that it has not already been challenged, particularly as it seems to apply, at least now, to Consultees such a Parish Councils, to whom comments are equally invisible. This seems particularly odd given that they are supposed to be mindful of the views of their Parishioners. How can they be if these comments are hidden?

        Very interested to hear your view(s) and won’t be offended to be put back in my box if I have this very wrong.

        Best wishes, Tom

      • This is an excellent question, and one that I have reproduced elsewhere [there is a “KHub” on the GDPR with restricted membership] to see if I can attract some other views.

        I’ll try to pick out and respond to some of the key points here:

        You don’t have this very wrong, so I’m not going to put you back in your box. The issues that you have brought out are real and relevant but, importantly, the implications of the GDPR are still being thought through and it is becoming clear that some of the general principles of “open democratic planning in the public interest” pull in slightly different directions to the GDPR. There are several areas where the fit between the two sets of regulations is quite jarring.

        Anyway.

        The key issue here that you don’t mention but lies behind the behaviour of the LPA is special category data. The reason that the LPA doesn’t want to automatically publish the content of representations is that they are liable if they contain SCD. [For example “My autistic child will be harmed by .. My infirm mother will be harmed by … Those people next door are not really religious .. etc etc”] Your point about people opting in and volunteering to have the content published does not mean that the LPA is exempt or can claim that the representor (rather than the LPA) is the one who broke data protection law.

        [as an aside, your ideas for managing representations are a pretty good match for the approach we tried out with various stakeholders / system providers until the ICO told us that asking members of the public to identify or declare whether or not something was SCD would not wash with them and the liability remains with the LPA]

        So, given that there is a potentially large liability for a low risk event what should councils do ?

        In the short term councils are responding in different ways, and we are all learning a bit as we go along. Our guidance will be clear, though, that councils cannot allow unchecked comments to go public on the internet. If councils are unable to resource this function then so be it. This is a new “ask” and there is no extra money so I won’t criticise councils who judge that shifting people from a task they are already doing to review comments is not best for them. After all, this is not a statutory duty or requirement – just custom & practise.

        I’m sure in a few years time we will have AI capable of reviewing all content on a site and flagging up content that might be problematic.

        I don’t think anyone is overjoyed by any of this. It all feels a bit retrograde and contra to the spirit of democratic planning. The GDPR was designed to curtail the likes of Facebook and Google so doesn’t contain much to match with how planning works.

        This is just my 0.02 I will share any other comments from the KHub.

  2. Richard, thank you very much for your response and for taking the time to do so. I look forward with great interest to seeing any further responses and views whether from this thread or via the KHub forum I note you kindly posted on too. Very much appreciated.

  3. Hi Richard
    Can I assume that there was no further comment on this from KHub?
    Not a problem if so, I very much appreciate you taking the time to respond as you did earlier.
    Best wishes, Tom

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s