Data protection guidance for Electoral Registration Officers and Returning Officers

Accountability and transparency of data controllers

You must be able to demonstrate that you comply with your obligations as a data controller, ensuring that personal data is processed lawfully, fairly and in a transparent manner. To achieve this, you should have and maintain written plans and records to provide an audit trail.

You will have developed registration and election plans, and associated risk registers, that outline your processes and the safeguards that you have in place. You should keep these documents under review to ensure data protection remains integral and that they are compliant with current data protection legislation. 

Your plans and risk registers provide a sound basis for you to meet your obligations as a data processer. However, to show that you are processing personal data lawfully, fairly and in a transparent manner, you are also likely to need to implement further demonstrable processes. 

Data protection legislation impacts on your council as a whole, so you should not need to address the requirements in isolation. 

If you have not already done so, you should speak to your council’s data protection or information officer. 

You should also utilise the ICO’s website which has detailed guidance to support you in meeting your obligations, including specific guidance on accountability and transparency.

Appointing a data protection officer

A public authority must appoint a data protection officer (DPO) to advice on data protection issues. As ERO or RO, you are not currently included in the definition of a public authority contained in Schedule 1 to the Freedom of Information Act 2000 and are therefore not required to appoint a DPO for the conduct of your duties.  However, you can choose to appoint a DPO if you wish. Your appointing council must have a DPO in place and you should liaise with them over good practice in relation to data protection.

Last updated: 22 February 2023