The Information Commissioner's Office has issued a strong warning to local councils after finding that a number were potentially breaching a key clause of the Data Protection Act.
Councillors who handle citizens' personal data need to take the DPA "seriously", ICO said, and check if they need to register as data controllers.
ICO found that while 6,000 councillors had registered, around 13,000 have not when it may have been necessary.
Failure to register is a criminal offence, ICO said. Those who had not signed up were risking a £5,000 fine in a magistrates court, or an unlimited fine in a crown court.
The rules around registration are that councillors acting as resident representatives, as well as those not affiliated to political parties, need to register. Those acting as representatives of the major parties do not need to register, unless they do resident representative work.
"Most councillors have regular access to the personal information of the residents they represent. Like all organisations who handle people's information, it is of paramount importance that they take their responsibilities under the Data Protection Act seriously," said Simon Entwisle, director of operations at ICO.
"We will be writing to councillors with advice on whether they need to notify with the ICO. Those who fail to notify with us when required may face enforcement action."