Jump to content


paulwlton

ICO circumvent own GDPR guidelines?!!!!

style="text-align:center;"> Please note that this topic has not had any new posts for the last 293 days.

If you are trying to post a different story then you should start your own new thread. Posting on this thread is likely to mean that you won't get the help and advice that you need.

If you are trying to post information which is relevant to the story in this thread then please flag it up to the site team and they will allow you to post.

Thank you

Recommended Posts

Thought id challenge the processing of my personal data by a former employer in relation to my banking data, death-in-service beneficiaries and emergency contact details (wife and son's personal data). I left the company in June 2016.

 

The ICO's public guidance is that the aforestated data should be deleted once the employee leaves the company.

 

The ICO has just made a decision that is contrary to the public guidance???

the decision states companies can process the data for seven years. This is bizarre - either the public guidance requires amending or the ICO decision in my case is plainly wrong. What chance has joe public got???????

 

Below is the ICO's public guidance.

 

Example

 

An employer should review the personal data it holds about an employee when they leave the organisation’s employment. It will need to retain enough data to enable the organisation to deal with, for example, providing references or pension arrangements. However, it should delete personal data that it is unlikely to need again from its records – such as the employee’s emergency contact details, previous addresses, or death-in-service beneficiary details.


An appeaser is one who feeds a crocodile, hoping it will eat him last. <br />

Winston Churchill

Share this post


Link to post
Share on other sites

A complaint I submitted. The ICO has decided to make a decision in favour of big business contrary to their public guidance. The ICO are a disgrace.


An appeaser is one who feeds a crocodile, hoping it will eat him last. <br />

Winston Churchill

Share this post


Link to post
Share on other sites

If you consider it from the employer's side. Let's say in a few years you decide to claim for hearing loss. If they have destroyed all reference to your existence how could they possibly defend a claim without any evidence.

There are issues which I don't think were fully considered prior to the GDPR coming into force which will be coming to light now.

Share this post


Link to post
Share on other sites
If you consider it from the employer's side. Let's say in a few years you decide to claim for hearing loss. If they have destroyed all reference to your existence how could they possibly defend a claim without any evidence.

There are issues which I don't think were fully considered prior to the GDPR coming into force which will be coming to light now.

 

The ICO state that employers should delete details of death-in-service beneficiaries and third party emergency contact details once the employee leaves the company. My complaint was that after two years the company was continuing to process said data. The ICO has ignored their own public advice and has stated that a company can hold it for seven years.

 

If this is the case then surely the ICO guidance needs amending???

 

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/


An appeaser is one who feeds a crocodile, hoping it will eat him last. <br />

Winston Churchill

Share this post


Link to post
Share on other sites

IMO it is only ICO Guidance, without force of Statute, but poss 'Best Practice'.

It says 'should' - suggestion, not 'must' - a command in the English lang.The Co should be able

to defend their position.

The Highway Code is only Guidance, but it does list the Primary legislation pertaining to most of the Sections, which you ignore at your peril.

Share this post


Link to post
Share on other sites
IMO it is only ICO Guidance, without force of Statute, but poss 'Best Practice'.

It says 'should' - suggestion, not 'must' - a command in the English lang.The Co should be able

to defend their position.

The Highway Code is only Guidance, but it does list the Primary legislation pertaining to most of the Sections, which you ignore at your peril.

 

The guidance perhaps needs re-wording to include “should be deleted unless the company retains the data pursuant to the administration of justice”

 

The problemI have with the ICO's decision is that the company has never registered or paid the fee under the GDPR - they rely on exemption "processing only for staff administration"..... so they cannot rely on processing for the "administration of justice"

 

Speaking with the ICO today and will appeal the descision on the above basis.

 

Regards


An appeaser is one who feeds a crocodile, hoping it will eat him last. <br />

Winston Churchill

Share this post


Link to post
Share on other sites

No the guidance doesn’t need rewording. The guidance is factually correct and based on the data minimisation principles.It’s the interpretation by the ICO lackey that’s the issue. The employer only needs to keep the SPECIFIC data required for statutory obligations or possible legal procedures such as unfair dismissal etc and 2 years is usually ample except perhaps for personal data relating to pension. However in all cases of retention the GDPR enforces data minimisation. The employer in the OPs case has no reasonable reason for keeping the information above which is being processed. They have no reason for keeping the emergency contact details or the other info for any possible purposes. In my opinion I would not even bother with the ICO. Letter before claim to previous employer giving them 30 days to delete the data or provide the reason why they are not GDPR compliant as regards data minimisation and see you in court.

Share this post


Link to post
Share on other sites

The ICO continue to investigate my grievance and significant progress has been made. The ICO know the full facts and will decide shortly whether the company has breached both the DPA 1980 and the GDPR.


An appeaser is one who feeds a crocodile, hoping it will eat him last. <br />

Winston Churchill

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 Caggers

    No registered users viewing this page.


  • Have we helped you ...?


×
×
  • Create New...