GDPR and Council Tax

[TressiliansStone]

What personal data is a Council legally entitled to collect, in order to process Council Tax?

I just ask because I'm moving to a new area, and its council seems to be vastly over-collecting personal data (something local councils are notorious for).

For example, they want to know the address I'm moving from in another county, and my relationship to that property and it's occupants.

WTF?

They also want to know the names of all people who will be living at the new address. Not whether I'm a lone adult occupant claiming the 25% discount, which would be fair enough, but the full names of all occupants.

Again, WTF?

I can understand the council might want to know that, if they're trying to create their own little total surveillance state in case it comes in handy later.

But this data has no bearing on the payment of council tax on this property in their county. If they were a non-council entity, they would be in breach of the old DPA for over-collection of data.

So what the actual law on this?

BTW, I know some people are happy to publish their date of birth, mother's maiden name, full address and pictures of themselves naked on Facebook.

That's lovely, I'm happy for you.

But.. I don't do that.

You don’t have to provide it though, they’re asking not threatening you with court action if you don’t comply (presumably?) is up to you. Just send it back with whatever you’re willing to supply

I'm the GDPR rep in my dept and I can’t see any issue with the data they are collecting as long as stored securely.

Your prior address info is in order to tie up with you previous bill/account-so if you owe money you can be traced, and if you don’t the account can be reconciled plus electoral info.
The info on your household at new property is used to capture who is eligible to vote, plus determine who is liable for the bill. eg if 2 adults reside at the address they are jointly liable for the bill if not paid.

GDPR is about what they do with the data they have, BTW

Sorry x posted with above

Presumably they want the names of the people in the new property so they know who is liable for payment

Seems entirely reasonable

Also wanting to know your relationship to the people in the old property - IIRC, a spouse or partner of a liable person is also jointly liable even if not named on an account, so they likely want to know if you are "paid up" on your old account

They are permitted to request whatever data they feel is required for the purpose for which it is collected ie. To create an account which creates bills appropriate to the household, and share this data as required with other agencies (other councils, housing ,dwp etc) as part of its statutory duty. The privacy and gdpr policy should be available online.

I can see how they might try to use the data, if they got it. What I'm interested in is the legalities of doing so.

Eg The info on your household at new property is used to capture who is eligible to vote,

Sure. But, that's not the purpose for which they claim to be collecting the data. They haven't asked me for informed consent to use my data for that other purpose.

Under the DPA, repurposing data was something organisations did wholesale, massively breaching the law with very little comeback or concern. It's going to be a huge culture shock to organisations to discover the size of the fines these days – if the ICO enforces them. I'm interested to know what – if any – exemption a local council has from this.

Similarly, if you owe money you can be traced. There is a box on the form for "moving into the area". So they know I don't owe them money on another property in their area.

It looks more like they are using one legal obligation – paying Council Tax – to build a tracking system that can be used for any purpose and on every member of the population, not just those being investigated for crimes.

Again, I get that some people are completely unbothered by state surveillance or surveillance capitalism (Facebook, etc). But I prefer to keep track of how my data is being collected and what it's being used for.

To create an account which creates bills appropriate to the household,
For Council Tax bills, sure, fine, says so on the tin.

and share this data as required with other agencies (other councils, housing ,dwp etc)
Fuck off unless you have a suitable warrant or high-level signature, pursuant to an actual investigation of an actual crime.

Local councils have an appalling reputation in the data collection industry because, at least historically, they are clueless about proportionality tests. Some of my family work in the industry and have been at conferences where the police have sat rolling their eyes at the speaker from the local council who simply can't understand that, just because she would find it handy to invade residents' privacy, doesn't mean it's proportionate for her to do so.

The police, of course, do actually have to get warrants and signatures and justify their intrusions. They can't kick your door down "just because."

But I haven't been following how this has developed under the GDPR.

Perhaps you should write to the council's DPO with your concerns

This was before gdpr but shows the errors that can be made. I was checking my online banking and saw a £200 payment to Wandsworth council for council tax. My husband pays that bill and I hadn't initiated a direct debit. I checked past statements and found further payments going back months.

I contacted my bank who said there was a direct debit which they blocked. I called Wandsworth council who told me there had been 'simple error'. Someone was setting up their direct debit for council tax over the phone and the council employee had searched the data base and found my bank details which had been stored since I left the borough more than ten years before! They claimed the person had the same name as me and their bank details were one digit different. They refunded me and offered me a goodwill gesture of £50 which I refused until they could prove my details had been removed.
I heard nothing else from them.

Yep, certainly will involve their DPO if they make it an issue when I actually move.

The form wouldn't allow me to progress without submitting some bits of info – but those were reasonable.

It allowed me to submit but warned I had omitted info – of the unreasonable variety.

So I'm waiting to see whether the council will allow me to pay them council tax, or whether it will turn down the money if it can't also have my (by then) out-of-date personal data.

BTW, thanks to those who've taken the trouble to respond. I seem to have gone off on a rant, but I'm grateful for the views. I know a lot of people here have gone through a lot of pain making their organisations GDPR-compliant.

OP I don’t really understand what the issue is. You don’t need to give them any more data than you want to. It’s not a GDPR issue

Well, there might yet be an issue if they insist on having the unnecessary data before accepting my council tax. Will have to wait and see.

And they attempted to collect unnecessary data in the first place. They also tried to get me to give them details of the previous occupant, that person's future address, etc.

Under the DPA, if that were a non-government organisation they would absolutely have been in breach of the requirement for informed consent.

So I was just interested in what the legal situation is when it's a council, and the GDPR.

Just seen this on the guardian. Quite worrying.

www.theguardian.com/society/2018/sep/16/councils-use-377000-peoples-data-in-efforts-to-predict-child-abuse

A Thurrock council memo said earlier this year that all of its referrals to the government’s Troubled Families scheme were now identified by the data analytics system and predictive model provided by Xantura...
The software can be used to generate revenue for the council through the Troubled Families payments-by-results scheme. Xantura’s website advertises how its products can help local authorities “maximise PBR [payment-by-results] payments” from the government as well as reduce child safeguarding costs.

This sort of modelling already has a terrible reputation in the US, where IIRC analysis has shown that systems used for setting remand or bail underestimate future offending by white people and over-estimate future offending by black people.

I mean, you can see why the councils were attracted to the idea. But such systems are really problematic. And that article makes it look like the councils have implemented first and consulted with the ICO later.

OK, I've now waded through a bit of the requirements under GDPR.

There is still a requirement to minimise collection of data.

ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/data-minimisation/

Principle (c): Data minimisation
...
You must ensure the personal data you are processing is:

adequate – sufficient to properly fulfil your stated purpose;
relevant – has a rational link to that purpose; and
limited to what is necessary – you do not hold more than you need for that purpose.

Checklist
☐ We only collect personal data we actually need for our specified purposes.
☐ We have sufficient personal data to properly fulfil those purposes.
☐ We periodically review the data we hold, and delete anything we don’t need.
...
What’s new under the GDPR?

Very little. The data minimisation principle is almost identical to the third principle (adequacy) of the 1998 Act.

The main difference in practice is that you must be prepared to demonstrate you have appropriate data minimisation practices in line with new accountability obligations, and there are links to the new rights of erasure and rectification.

I think you're right, OP.

And am following this thread with interest.

I quite often challenge the amount of data people request, and have been interested to see how much isn't actually needed and which they will readily agree to do without rather than face a formal challenge.

Yep, minimisation of data collection is the front end of GDPR. Middle is not using it for anything that it wasn't originally collected for and safely storing it while it is in use, end is secure disposal as soon as practical. I've been part of my work GDPR efforts for the last year or so.

@theunsure you might want to check your notes if you're the rep and aren't working along those lines!

Most forms will have required fields specifically marked as required TressiliansStone, other fields are optional or sometimes dependent on other answers. I am fairly sure if you look closely you'll see that the items you're correctly dubious about are not marked as required.

As I remember the online form, I only found out if the field was required by getting to the end of each page and hitting Next.

If it let me continue, I presumed the blank field was indeed optional.

However when I got to the end of the form and hit submit, the form gave me a warning that "some essential information was missing" – and directed me back to only two of the half-dozen blank fields. But allowed me to submit anyway without filling them.

It wasn't exactly a model of good practice...

I'm still waiting to see what happens about those two empty fields. NB It's possible there was asterisked explanation I missed, despite looking for it (not unknown for me).

That's awful, and you should write and object to it (if you can be bothered).
At least it did indicate which fields it wanted you to fill - nothing worse than a "please correct the information" error and no clues as to where.