I’ve been on a little voyage with the GDPR. Originally I argued that we needed to do a quick “heads up” on the key points for planners. There was (to be honest) a little bit of humming and aahing about whether planning was “special” enough to deserve something sector-specific, but then in the end it was agreed that we were. Just something “quick and dirty”, so off I went.
Thanks to lots of planners who asked me questions, thanks to the ICO and MHCLG, thanks to Umbreen and the ALBPO TS group, and thanks to Cheshire West & Chester we will be making something public in the next week or so that I hope will be a first step towards a practitioners guide. We can then evolve it as questions get addressed and we make joint decisions about how to behave in the grey areas.
For now, though, and in advance of the official, signed-off version I thought I’d give you my own thoughts on all this.
A GDPR ‘heads up’ is not enough because current practice is patchy
It has been a long time since we first had a guide to making things available on-line from PARSOL. Many, many people have since left planning departments, and the people left have often been asked to make it up for themselves. Current practice is inconsistent and in several areas is very obviously wrong. Ask a group of councils how they publicise comments on planning applications and you will see what I mean.
The GDPR is an evolution on the basics of data protection, fraud protection and good practice around handling data for the provision of services. We cannot assume that everything else is OK and only worry about the new provisions because that is not the case in a sizable minority of councils.
Planning is (mostly) low risk, and there is not much here to really freak out about. But we can just make our collective lives easier if we all decide to act in the same way.
The ICO guidance notes are good
I hate reading guidance. I do it only when I really have to. The ICO guide to the GDPR is very well made, and I recommend that you invest the 90 minutes or so it takes to go through it because it provides the overview that you need to see all this in context.
This is particularly important in our case because …
The GDPR in your personal life is nothing to do with GDPR in your professional life
This is the biggest take-away for me in all this. Many of the questions I have been presented with only arise because of a basic conflation of the “consent” issues arising out of facebook, mailing lists and all the rest of it that we are involved in as consumers and the work of planning departments that we do as public servants.
Seriously, go and read that bit in the ICO guide about “public task“. When you are making plans, determining applications for development, adverts and listed buildings, receiving allegations of unauthorised development, checking with consultees about applications, the weekly list – ALL OF IT – you are working on the lawful basis of public task.
I would suggest that if you think you need the basis of consent then you should stop, and wonder why you are doing it.
When you have this straight many of the problems and potential hassle melt away. There are, as you might expect a couple of places where judgement is required. Having got personal details on the basis of public task, you have to remember that the basis cannot change unless you deliberately and knowingly change the basis. So …
- After determining an application can you then ask people “How did we do ?” in a service improvement way? answer – “yes”
- Can you direct market the work of your building control colleagues? Answer – “no”
- Can you advise an applicant that there is often a statutory requirement to have works signed off by an inspector ? Answer – “yes”
- Can you ask applicants for their consent to receive direct marketing and news from you ? Answer – “yes – but isn’t there a neater way of doing this?”
You need to pay attention to the few, not the many
I have spent quite a bit of time with the ICO and they are much nicer people than I thought they would be given how they treated poor old Basildon. They are also very pragmatic – and they can’t afford not to be. There are an eye-watering number of bits of information in the planning system, and if we were buttoned-up about the fact that there are applicants and neighbours and lots of other people involved we would never be able to make it work simply and transparently.
This, again, was an important take-away for me. You need to pay special attention to special category data. If unthinking monopolies treat vulnerable people badly and fail to guard their data properly it makes the ICO people see red. This is where your risk is.
You can manage this risk fairly easily by channeling those applications that may contain special category data (often, for us, applications with supporting statements detailing health conditions) to a sensible person. This person, who will be well-briefed on your privacy notice and just generally be wise, can take a view on whether to make it public or not. This is not rocket science and there are already similar versions of this approach for things like prisons and refuges.
Another important point – this responsibility to protect sensitive data applies retrospectively. I’m not sure how big a deal this is, but it is possible that whole case files have been scanned and just “thrown up” on the web including this sort of statement. Find and fix – this is not needles in haystacks because you know the sort of applications that are the highest risk.
Seriously if you get your management of sensitive data right you will be OK. When people say “What are we doing about GDPR ?” translate this into “Have we got our approach to special category data watertight ?”.
The work is not complete
There remain some grey areas in all this, so I can’t pretend that it has been entirely straightforward or indeed finished.
There are places when the DMPO, transparency regs and the GDPR pull in different directions. Also, and just as importantly, the e-planning culture that we’ve been exposed to for the last decade needs to be tempered slightly – we need to incorporate and ensure that our practise is consistent across all of these things.
In our little working party we have asked the ICO to come to a view about how we should behave when a public decision is made on the basis of sensitive information. It doesn’t feel right that we slap a super-injunction on ourselves and keep it entirely secret. It feels risky to expose the sensitive information – perhaps there is a middle ground where we share the fact that there is sensitive information but not exactly what it is. Who knows – the point is that we need a bit of clarity in this area.
It may also prompt MHCLG to look again at some of the regulations. This work has made me look not just at the DMPO but also advert regs and listed building regs too. Were we to take all of these things, written at quite different times, at face value we would have 4 or 5 different planning registers sharing slightly different things. This way madness lies.
What next for planning and GDPR ?
Managing expectations slightly, we are going to make a short practitioners note in more formal language that sets some of this out, and then we will invite your thoughts, questions and criticism. We will also as part of this try to make some sample documents – if you think you have a good “privacy notice” that you want a second opinion on please send it my way.
Before this, however, I would suggest some changes to the way you think and operate that you can begin right now:
- We have been on an e-planning journey that was all about moving from paper to online. At the beginning of the journey we didn’t need to worry so much about retention and long-term information management. We do now. Data goes stale, and we need a simple way of clearing away things that don’t matter. Making whole case files public in perpetuity is unnecessary.
- Check what you say you do, and work out whether you are organised to do it that way. It’s another thing that makes the nice ICO people cross. If you fail to follow your own rules you are starting a defence on the back foot.
- Special category data. That is the 4th time I’ve said it.