[Misc] GDPR Question

[Shropshire Seagull]

GDPR = has great intentions but so badly misunderstood by many.

At one pole there are those who are sloppy in protecting your data and at the other pole those who are over-protective to the point of it being damaging.

Quick example of the latter - I knew of a cricket club junior coordinator who did not share critical declared health information of one of their junior players with the club's coaches thinking he was following GDPR by not disclosing an individuals personal data. Kid nearly died when the coach was not made aware that the lad carried an EpiPen and one of his mates quickly explained what was needed - shocking case of being over-protective of personal information.

When I explain GDPR to a layman I keep it simple. It must be justifiable why you hold the information [inc. for how long] and it can be shared, but on a need-to-know basis [within the organisation].

 

[Braggfan]

I hate to disagree with people but I think GDPR does have a lot to say about this situation. GDPR is about safe storage but an awful lot more besides. Firstly, they must say in a data privacy policy what they'll do with this information. They have to have a good reason to keep it and a policy to remove it when that good reason ends, and the data has to be accurate. The subject of the data also has a right to be "forgotten" and have the data removed. The subject also has the right to ask the company to reveal all the personal data the company holds.

My advice is to ask for the data privacy policy which covers this type of information. You have the right to go to the Information Commissioner if you don't think they need to retain this data, or if it's gone out-of-date (inaccurate data), and exactly what they plan to do with it.

Companies would have to make it clear that they are holding the information for a specific purpose, which in this case would be complying with right to work in the uk legislation. Legal obligations are an exemption under GDPR, so the fact businesses have a statutory obligation to do this means that as long as they have made it clear, you'd be hard pushed to get the ICO to agree that they shouldnt hold it for the duration of your work with them. However if you stopped working for them, or decided not to join them, then they wouldn't be able to hold it and you could request that the delete your information.

 

[Lethargic]

GDPR = has great intentions but so badly misunderstood by many.

At one pole there are those who are sloppy in protecting your data and at the other pole those who are over-protective to the point of it being damaging.

Quick example of the latter - I knew of a cricket club junior coordinator who did not share critical declared health information of one of their junior players with the club's coaches thinking he was following GDPR by not disclosing an individuals personal data. Kid nearly died when the coach was not made aware that the lad carried an EpiPen and one of his mates quickly explained what was needed - shocking case of being over-protective of personal information.

When I explain GDPR to a layman I keep it simple. It must be justifiable why you hold the information [inc. for how long] and it can be shared, but on a need-to-know basis [within the organisation].

Agree with this although I think certain industries are happy for it to be complicated and misunderstood (Lawyers and Consultancies). the key thing is do they need your data to perform their business, if this is the case then yes they have a right to hold your data and are then responsible for the security and accuracy (often ignored) of said data but only for as long as it is required.

Just to add to the above they cannot share your data with any other company without your permission.

 

[Murray 17]

Why not just let them copy your ID?
Why would you have a problem with your employer doing that?

Because a friend had his identity stolen. The photocopies of his documents were doctored, re-copied and used to commit fraud. It was very frightening.

Sent from my SM-G950F using Tapatalk

 

[Murray 17]

The simple reason is that personal data stored badly can easily lead to it falling into the wrong hands, and identity theft taking place. There have been so many examples of large companies having their data security breached and millions of customer records stolen (including very personal and actionable data).

Exactly.

Sent from my SM-G950F using Tapatalk

 

[Murray 17]

Honestly, why do you care? I don't get why people get so het up about their records (unless they have something to hide).

See post 24.

Sent from my SM-G950F using Tapatalk

 

[Audax]

I hate to disagree with people but I think GDPR does have a lot to say about this situation. GDPR is about safe storage but an awful lot more besides. Firstly, they must say in a data privacy policy what they'll do with this information. They have to have a good reason to keep it and a policy to remove it when that good reason ends, and the data has to be accurate. The subject of the data also has a right to be "forgotten" and have the data removed. The subject also has the right to ask the company to reveal all the personal data the company holds.

My advice is to ask for the data privacy policy which covers this type of information. You have the right to go to the Information Commissioner if you don't think they need to retain this data, or if it's gone out-of-date (inaccurate data), and exactly what they plan to do with it.

But in addition to that, the company is obligated to hold certain information for a minimum amount of time where the law requires regardless of GDPR. So in this specific situation, a lot depends on the intersection between GDPR and the relevant employment laws relating to proving right to live and work within the UK.