Local self-government units cope well with the GDPR
Registers of residents, video surveillance, Public Information Bulletin’s (BIP) resources and websites of offices – those are areas in which local government officials had problems while applying the General Data Protection Regulation (GDPR). Nevertheless, after one year of GDPR application, the balance for local self-government units is positive.
Controllers in local self-government units should invest in educating the staff (including management) in the field of personal data protection and also consider drawing up the codes of conduct - those are the conclusions from the conference summarizing the first year of GDPR application in for local self-government units which took place on 10 June 2019 in Warsaw. The event was organized by the Personal Data Protection Office, Sejm Committee of Local Self-government and Regional Policy Committee and the National Institute of Local Self-government.
Conclusions from the inspections
Monika Krasińska, Head of Private Sector Department summarized the resent inspections carried out in local self-government units. The inspections covered registers of residents, video surveillance, Public Information Bulletin’s resources and websites of offices.
These controls revealed various problems. Many local governments adapted registers of residence to the reformed regulations although some irregularities were found, e.g. in the area of building a register. In addition not all recipients of data are identified, which is reflected in incomplete information clauses or an incomplete record of processing activities.
The Polish SA’s findings regarding the register of residents showed that the act related to disclosing personal data is not always fully documented, for example, in connection with providing a register from the company’s archives. In addition, data processing entrustment agreements are not always concluded when certain systems are operated by external entities.
The video surveillance inspections revealed the lack of data protection impact assessment. Self-government officials also found it difficult to properly fulfill the obligation to provide information, e.g. on the principles of conducting surveillance. This results in an increase in complaints directed to the local government sector in this respect.
Monika Krasińska also drew attention to the changes in the field of video surveillance which took place on 6 February 2019 through which the municipal guards gained the status of a separate data controller. In her opinion, it is necessary to attempt to include municipal guards together with their tasks in the structure of personal data management.
The inspections showed that the data published in the Public Information Bulletin were incorrectly managed. There were no guidelines regarding the period of data storage in BIP Therefore for many years it has been believed that the information provided there once has the right to function permanently which is not in accordance with the provisions on the personal data protection.
Other problems related to BIP, disclosed during the inspections, include transfer of personal data to an excessive extent with the wrong process of data anonymization and the lack of information removal procedures.
It is worth to create codes of conduct
Piotr Drobek, Head of Analysis and Strategy Department encouraged local self-government units to draw up codes of conduct by the organizations in which they are associated. In his opinion, this is one of the ways for local governments to ensure compliance with data protection regulations.
The codes may concern the implementation of many public tasks, e.g. education, social assistance and the use of EU funds. They can also tell how to correctly create information clauses.
As Piotr Drobek said, currently codes are drawn up only by the private sector. However, there are two cases of drawing up the codes in health sector which public units can join.