Dr. Fred Logue:

The good news is that two answers cover all of the questions. The GDPR has become the new health and safety or insurance. It has become an excuse for not doing things we do not really want to do. There is absolutely no reason a planner cannot discuss a planning file with a public representative, regardless of section 40. It is just a normal thing. Advocate General Bobek has made an observation about using the GDPR to obstruct the protection of personal data rather than for its protection. That is just a symptom of poor compliance, particularly in the case of public bodies. As more disputes arise and as more sanctions are imposed, that should improve.

The second thing is a list of things that can or cannot be done. Under the GDPR, one can do most things but one has to have certain things in place. There has to be a legal basis. That is fundamental to the data protection regime. If one processes personal data, one must either have the consent of the data subject or it must be necessary for some purpose listed in the GDPR. It can be necessary to fulfil a legal obligation. For example, with regard to the enforcement of compliance with litter or waste legislation with CCTV, as long as the legislation in place meets the standards of EU law and the GDPR, this is allowed in principle. What happens, however, is that we do not put such legislation in place or that the legislation which is in place is deficient. Bodies, reacting to public pressure because CCTV is popular, then try to work around the legislation or try to shoehorn provisions into legislation which is not fit for purpose. The problem could easily be solved if we just had proper legislation. The legislation has to ensure a proper legal basis for the action and provide for safeguards against abuse. At the other end, there also has to be good compliance with data subject rights. For example, if I want to know if I have been captured on CCTV, I must be told. Notices must be in place. Employers who are tracking their employees must tell those employees and there must be a legal basis for doing so.

To answer the first three of the Deputy's questions, if we just implement the GDPR in the way it was designed to be implemented, none of those things would be disallowed in principle and we would find out which ones are disallowed through the legislative process.