By Kate Edwards, associate, Birketts

Local government reorganisation (LGR) raises urgent data-protection questions.

It may not be clear who will be legally responsible for residents’ personal information, how to handle Subject Access Requests, what to put in new data-sharing agreements and how to keep everyone compliant while services move from one body to another.

Getting these questions right quickly and getting legal advice early avoids regulatory risk, service disruption and costly complaints or enforcement action.

We want to help you understand your legal obligations and the way that they are impacted as structures change.

Who is the data controller, joint controller and processor?

Who is the data controller, joint controller, or processor depends on who decides the purpose and means of the processing, not simply who holds the files.

• If your organisation decides why and how data is used, you are a controller.
• If two or more organisations decide together, you are joint controllers.
• If you only act on someone else’s instructions, you are a processor.

This distinction matters legally as it centres on different duties with different liabilities.

You should document roles in writing and seek legal advice before transferring or redesigning services.

You should not assume the successor authority automatically “inherits” controller status without paperwork and legal checks.

How does the law work?

Under the UK GDPR and the Data Protection Act 2018, the legal duties differ by role.

The data controller must lawfully justify processing by working to identify the lawful basis.

They must maintain records of processing, respond to data-subject rights, keep data secure, notify personal-data breaches to the Information Commissioner’s Office (ICO) where required and be accountable for compliance.

Joint controllers are when two or more organisations that decide the why and how together.

You must have a public, written agreement that clearly divides responsibilities and you must tell people which organisation to contact about their rights.

Both parties remain directly answerable to data subjects and the ICO.

The processor acts only on the controller’s instructions, must follow contract terms and has direct legal duties too.

Those duties are not optional and it is worth seeking professional legal advice to ensure you stay compliant with your obligations.

What happens at vesting day?

Structural Change Orders (SCOs) set the vesting day and transfer functions, property and records.

In many cases, the successor authority becomes the practical controller for services that transfer, but that outcome depends on how processing is actually carried out during and after transition.

If, during the transition, a shadow authority or combined authority and predecessor councils jointly determine policy or share decision-making about a dataset, the receiving party may be a controller (or you may be joint controllers) even before vesting day.

If a body simply hosts records while another authority sets policy, the host may be a processor.

What are the special categories and sensitive datasets?

Health, social-care, law-enforcement and pension/HR datasets often need specific legal gateways or exemptions and different handling.

Some transfers fall into Part Three (law-enforcement processing) or require statutory gateways.

You should view these datasets as bespoke and be sure to map them first, identify the correct legal basis for reuse and transfer and document the gateway in the DSA and any DPIA.

Be careful not to accidentally lump sensitive datasets into generic arrangements without legal sign-off.

Security, breaches and contractors

Controllers must ensure appropriate technical and organisational measures, including oversight of measures applied by processors.

If a data breach happens during transition, controllers or joint controllers may need to notify the ICO within 72 hours where there is a likelihood of risk to the rights and freedoms of data subjects.

Data subjects may also need to be informed where there is a high risk to their rights and freedoms.

Processor contracts must include timely notification and co-operation obligations.

Why you must take action now

The status of controller, joint controller or processor has real legal implications that need to be managed effectively.

They involve different duties, different liabilities, different timelines for responses and reporting and potential fines or enforcement by the ICO.

LGR brings complexity and political change so seeking expert legal advice is essential for staying compliant.

For help understanding how data protection may be impacted by devolution, be sure to get in touch with our expert team today.

We are hosting a webinar on this topic, the details of which can be found here. If you’re looking for more information or require legal advice, this is a good place to start! 

If you have any questions on the matters raised above, please do contact Kate Edwards or Claire Jones by e-mail Kate-Edwards@birketts.co.uk or Claire-Jones@birketts.co.uk