As ERO, you are a data controller with a statutory duty to process certain personal data to maintain the electoral register. Under data protection legislation you need to be able to demonstrate that you comply with the principles of processing personal data, ensuring that it is processed lawfully, fairly and transparently.
Advice from the ICO is that all data controllers need to ensure that they are registered with the ICO. This means that EROs and ROs must be registered separately to their council.
Under the data protection legislation, a public authority must appoint a data protection officer (DPO) to advise on data protection issues. As ERO or RO, you are not included in the definition of a public authority contained in Schedule 1 to the Freedom of Information Act 2000 and are not required to appoint a DPO for the conduct of your duties. However, your appointing council must have a DPO in place and you should liaise with them over good practice in relation to data protection.
A key element of data protection legislation is the increased focus on accountability and transparency when processing personal data. You must be able to demonstrate that you comply with your obligations under data protection legislation. The key to achieving this is to have and maintain written plans and records to provide an audit trail.
Our resource on data protection legislation details how you can put measures in place to meet the requirement to demonstrate compliance and to ensure that data protection is integral to all you do.
You need to ensure that you are complying with your responsibilities under data protection legislation. In particular, you should ensure that you:
are registered with the ICO as a data controller
have appropriate privacy notices in place
are retaining documents in accordance with your document retention policy
ensure that data protection is integral to any contracts where personal data is processed
have a policy document in place to process special categories of personal data
maintain records and plans to demonstrate that you are processing personal data lawfully, fairly and in a transparent manner
in your plans and risk register, highlight the safeguards you have in place to avoid a personal data breach