The mayor may be in breach of GDPR by not providing a transparency notice about his collection of public data.
After this blog revealed that the council have contracted to collect social media information, concerns were raised about whether the mayor is collecting lists of residents who mention him or the Bristol City Council.
The report released to me in the FOI I submitted clearly showed that the data was collected in relation to the following search terms: “Marvin Rees” / “mayor of bristol” / @MarvinJRees / @BrisMayorOffice / “Bristol Council”. The search seems geared to return more information about the mayor than it does about the council.
Twitter handles are revealed in the reports.
So what does he do with the names?
At a recent Cabinet meeting, he seemed to know some residents names, despite them not being there.
“Martin Rands, there’s a familiar name,” he said to those around him. “Joanna Booth, that’s another familiar name.” He was referring to me because I had tabled a question about the Western Harbour at Cabinet on November 5.
According to David Traynier CIPP/E, CIPM, certified GDPR professional who uses the legislation as part of his work, the collection of social media information does fall under the remit of the GDPR/Data Protection Act 2018.
“If the council processes personal data, they’re required to make a privacy notice readily available (i.e. on their website).”
“It makes little difference that the personal data (names, handles etc) is in the public domain, anyone processing that data must still comply with the law to protect the data subjects (the people whose data is collected).
In practice, this means (under GDPR Article 5(1) ) the processing must be lawful, limited to the purposes for which the data is initially collected, use only the minimum of data necessary to the purpose, that the data must be accurate, only kept as long as is needed, and must be kept securely.
When not collecting data directly from data subjects, Article 14 requires that data subjects are informed of the processing but not if ‘the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest.’
They would need to ensure they include details of what they do in a transparency notice that is readily available to the public.
Traynier goes on to say: “I think what they’re doing is lawful, providing they follow the required safeguards. It’s quite common now anyway, so uncontroversial. The key thing – aside from meeting the mundane requirements around security of storage/data retention etc – is that they only use the information for their stated purpose of democratic engagement and nothing else down the line.”
As noted in my original article, all three opposition parties, were surprised by news of the social media analysis and say they have not seen the reports.
If the council do not have a transparency notice about how they use this data then this could be a breach of GDPR.
Note that the local media picked up on the story the following day with no attribution to this blog or the research that revealed the contract and the data gathering.
Bristol City Council have yet to respond to any of my questions.