Jump to content
paulwlton

ICO circumvent own GDPR guidelines?!!!!

Recommended Posts

Thought id challenge the processing of my personal data by a former employer in relation to my banking data, death-in-service beneficiaries and emergency contact details (wife and son's personal data). I left the company in June 2016.

 

The ICO's public guidance is that the aforestated data should be deleted once the employee leaves the company.

 

The ICO has just made a decision that is contrary to the public guidance???

the decision states companies can process the data for seven years. This is bizarre - either the public guidance requires amending or the ICO decision in my case is plainly wrong. What chance has joe public got???????

 

Below is the ICO's public guidance.

 

Example

 

An employer should review the personal data it holds about an employee when they leave the organisation’s employment. It will need to retain enough data to enable the organisation to deal with, for example, providing references or pension arrangements. However, it should delete personal data that it is unlikely to need again from its records – such as the employee’s emergency contact details, previous addresses, or death-in-service beneficiary details.


An appeaser is one who feeds a crocodile, hoping it will eat him last. <br />

Winston Churchill

Share this post


Link to post
Share on other sites

A complaint I submitted. The ICO has decided to make a decision in favour of big business contrary to their public guidance. The ICO are a disgrace.


An appeaser is one who feeds a crocodile, hoping it will eat him last. <br />

Winston Churchill

Share this post


Link to post
Share on other sites

If you consider it from the employer's side. Let's say in a few years you decide to claim for hearing loss. If they have destroyed all reference to your existence how could they possibly defend a claim without any evidence.

There are issues which I don't think were fully considered prior to the GDPR coming into force which will be coming to light now.

Share this post


Link to post
Share on other sites

I see. It is difficult to comment without details of what they ICO said in their decision, unfortunately.


PLEASE HELP US TO KEEP THIS SITE RUNNING

EVERY POUND DONATED WILL HELP US TO KEEP HELPING OTHERS

 

Share this post


Link to post
Share on other sites
If you consider it from the employer's side. Let's say in a few years you decide to claim for hearing loss. If they have destroyed all reference to your existence how could they possibly defend a claim without any evidence.

There are issues which I don't think were fully considered prior to the GDPR coming into force which will be coming to light now.

 

The ICO state that employers should delete details of death-in-service beneficiaries and third party emergency contact details once the employee leaves the company. My complaint was that after two years the company was continuing to process said data. The ICO has ignored their own public advice and has stated that a company can hold it for seven years.

 

If this is the case then surely the ICO guidance needs amending???

 

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/


An appeaser is one who feeds a crocodile, hoping it will eat him last. <br />

Winston Churchill

Share this post


Link to post
Share on other sites

IMO it is only ICO Guidance, without force of Statute, but poss 'Best Practice'.

It says 'should' - suggestion, not 'must' - a command in the English lang.The Co should be able

to defend their position.

The Highway Code is only Guidance, but it does list the Primary legislation pertaining to most of the Sections, which you ignore at your peril.

Share this post


Link to post
Share on other sites
IMO it is only ICO Guidance, without force of Statute, but poss 'Best Practice'.

It says 'should' - suggestion, not 'must' - a command in the English lang.The Co should be able

to defend their position.

The Highway Code is only Guidance, but it does list the Primary legislation pertaining to most of the Sections, which you ignore at your peril.

 

The guidance perhaps needs re-wording to include “should be deleted unless the company retains the data pursuant to the administration of justice”

 

The problemI have with the ICO's decision is that the company has never registered or paid the fee under the GDPR - they rely on exemption "processing only for staff administration"..... so they cannot rely on processing for the "administration of justice"

 

Speaking with the ICO today and will appeal the descision on the above basis.

 

Regards


An appeaser is one who feeds a crocodile, hoping it will eat him last. <br />

Winston Churchill

Share this post


Link to post
Share on other sites

No the guidance doesn’t need rewording. The guidance is factually correct and based on the data minimisation principles.It’s the interpretation by the ICO lackey that’s the issue. The employer only needs to keep the SPECIFIC data required for statutory obligations or possible legal procedures such as unfair dismissal etc and 2 years is usually ample except perhaps for personal data relating to pension. However in all cases of retention the GDPR enforces data minimisation. The employer in the OPs case has no reasonable reason for keeping the information above which is being processed. They have no reason for keeping the emergency contact details or the other info for any possible purposes. In my opinion I would not even bother with the ICO. Letter before claim to previous employer giving them 30 days to delete the data or provide the reason why they are not GDPR compliant as regards data minimisation and see you in court.

Share this post


Link to post
Share on other sites

The ICO continue to investigate my grievance and significant progress has been made. The ICO know the full facts and will decide shortly whether the company has breached both the DPA 1980 and the GDPR.


An appeaser is one who feeds a crocodile, hoping it will eat him last. <br />

Winston Churchill

Share this post


Link to post
Share on other sites
Please fill in your quit date here

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 Caggers

    No registered users viewing this page.


  • Have we helped you ...?




  • Tweets

  • Our picks

    • This is a bit of a lengthy one but I’ll summerise best as possible.
       
      THIS IS HOW THE PHONECALL WENT 
       
      I was contacted by future comms by phone, they stated that they could beat any phone contract I have , (I am a limited company but just myself that needs a business phone and I am the only worker) 
      I told future comms my deal, £110 per month with a phone and a virtual landline, they confirmed that they could beat that, £90 per month with a phone , virtual landline  they also confirmed they would pay Vodafone (previous provider) the termination fee. As I am in business, naturally I was open to making a deal. So we proceeded. 
      Future comms then revealed that the contract would be with PLAN.COM and the airtime would be provided by 02, I instantly told them that this would break the deal as I have poor 02 signal in the house where I live as my partner is on 02 and constantly complaining about bad signal
      the salesman assured me he would send a signal booster box out with the phone so I would have perfect signal.
      so far so good.....
      i then explained this is the only mobile phone I use for business and pleasure, so therefore I didn’t want any disconnection time in the slightest between the switchover from Vodafone to 02
      the salesman then confirmed that the existing phone would only be disconnected once the new phone was switched on.
      so far so good....
      • 14 replies
    • I was talked into signing up with Future Comms (future-comms.co.uk) who cold-called me to change my mobile contract to them, via 02, rather than EE. I have a small business (only me!) and it's a business contract. True, the 4G network is better for my area. This company seemed to be a marketing set-up for various telecoms companies, so I assumed anything I signed would be with 02 and didn't think it might be a problem.
       
      They sent an email whilst I was on the phone to set up the direct debit mandate with my bank which I signed electronically. That was the first, of many, problems I found. Apparently THAT was my contract, binding me to 3 years and no 'cooling off' period, because I was a 'business' (meaning any consumer rights did not apply). When I subsequently asked in writing for a copy of my contract, that is what they sent - when I argued it was a DD mandate they insisted it was my contract!
       
      2 days later they asked for my phone details to get it unlocked which I sent. 10 days later, EE closed my account, so I changed the SIM card to 02 that had come a few days before. No network! They had done nothing about unlocking it. Fortunately I was lucky with EE who managed to give me the right codes, rather than the usual 10 days to go through Samsung.
       
      By this time I was suspicious of their set-up and wanted to cancel. As I said earlier, I found myself trapped into a 3 year contract with no 14 day cooling off period (they don't offer that). Promises to deal with my complaints never happened, promised return calls neither....and on and on.
       
      Ofcom's rules apply to consumers and small businesses (under 10 employees), yet this shower don't acknowledge that. They just repeat and repeat that I am a business so it doesn't apply. To cancel the contract I have to pay the full 3 year's fees!!
       
      I would like to know if others have had similar experiences? Or does anyone know how I can maybe declare the 'contract' unenforceable? I have never before been locked into something without a clear written contract, with t&c's! And, yes, I have asked, and yes, I have been ignored.
      • 84 replies
    • Future comms!. Read more at https://www.consumeractiongroup.co.uk/topic/415706-future-comms/
      • 10 replies
    • A shocking story of domestic and economic abuse compounded by @BarclaysUKHelp ‏ bank complicity – coming soon @A_Gentle_Woman. Read more at https://www.consumeractiongroup.co.uk/topic/415737-a-shocking-story-of-domestic-and-economic-abuse-compounded-by-barclaysukhelp-%E2%80%8F-bank-complicity-%E2%80%93-coming-soon-a_gentle_woman/
      • 0 replies
×
×
  • Create New...