GDPR & Employee Data

godtabh

Just had an interesting phone call. Its been passed on to my companies legal department to deal with but just wondering about this and not looking for legal advice.

An ex employee rang up and asked for all his personal data to be removed from our servers.

This included obvious things such as bank details, phone numbers address etc etc.

He also asked that references to him, his qualifications (ie work CVs) where is information is contained on reports emails etc. be removed also.

Does GDPR cover this? I told him all reports etc are covered by company intellectual property rights and we'd remove the obvious things. Everything else would be referred to legal.

Any thoughts?

Mitzy

As far as I know it is covered by GDPR & he can request this. The only thing you have to do as an ex employer is keep all revenue records relating to him for the required time period.

godtabh

Interesting. If that's the case we are underprepared.

.......

This post has been deleted.

brianwalshcork

EUGDPR doesn't come into effect until May 25th, so technically no.

>we'd remove the obvious things.
Will you be going back through all your backups & removing the data from each copy also?

>Any thoughts?
Change your phone number on may 24th?

godtabh

....... wrote: »

This post has been deleted.

I just looked at one project he was working on.

There are approx. 100 reports and other files with his information in it (mainly name). There are about 50/60 projects of a similar size. Bloody hell!

godtabh

brianwalshcork wrote: »

EUGDPR doesn't come into effect until May 25th, so technically no.

>we'd remove the obvious things.
Will you be going back through all your backups & removing the data from each copy also?

>Any thoughts?
Change your phone number on may 24th?

How is it enforced/monitored/checked?

Pelvis

I'd say most are under prepared. But it begs the question, why do you have the bank details of an ex employee? And how many other ex employees are there?

It's not just a case of having to remove them IF requested, the point is you shouldn't have them at all if they are no longer needed, you should be proactively removing this data.

Mitzy

The scope of GDPR is absolutely huge and some small companies will be wiped out if they fail to comply. I don't think many are fully aware of the implications.
Better to find this out now OP and get working on it before it's implementation.

godtabh

I don't know if we have the bank details etc. but he requested them being removed.

Pelvis

godtabh wrote: »

How is it enforced/monitored/checked?

The supervisory authority can show up on your doorstep at any time without notice for an audit, afaik.

You run the risk of a fine of 4% of annual global turnover or €20m, whichever is smaller I think.

KildareP

Article 17
Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or
her without undue delay and the controller shall have the obligation to erase personal data without undue delay where
one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise
processed;

You can argue that certain information is necessary to be retained - such as his name and qualifications appearing as report author.

For example, I can't ring my phone company up and tell them "Forget everything you have on me" because they are obliged to retain my communication records for a certain period of time.

You do need to have a formal policy in place outlining what data is collected, why it is collected, and for how long it is retained, however. It's not enough to just say "Well it's important so we're keeping it".

godtabh

Just reading some more about,

In theory he could first ask for a copy of all his personal data.

Then he could ask for all of it to be deleted. Man the man hours to do an exercise like that.

To SMEs have an exemption?

whomitconcerns

The data was gathered with a legitimate business usage in mind. Is that legitimate business requirement still valid? You could also probably argue that by keeping his/her name on docs you are protecting their product from plagiarism.. So still in their interests...

But still it's probably not that clear, I'm going to pose this to our company mandated gdpr expert, see what he says...

.......

This post has been deleted.

drunkmonkey

Hold on a minute this can't be right, what's to say he's not preparing a case for the labour court. You've destroyed all data on him, you'll be taken to the cleaners in court.
You have to be allowed to hold some data to protect yourself.

.......

This post has been deleted.

godtabh

His name and unique set of qualifications makes him easily identifiable. I’d say so unique there could only be one of him!

My line manager reckons he is doing this as he can rather than anything else

.......

This post has been deleted.

godtabh

....... wrote: »

This post has been deleted.

Its in the hands of some one else now. I am just speculating.

Our reports have a three stage check process. The approver is the important person. He is 'just' the writer. Its likely he could argue that the inclusion or not of his name makes not difference to the report and therefore should be removed.

mrslancaster

How long after an employee leaves would information be held?
I know someone who applied for a pension & he had to get information from all the places he worked in the EU in the 80's. could be difficult in future if it's all gone

.......

This post has been deleted.

draiochtanois

This post has been deleted.

draiochtanois

This post has been deleted.

Glass fused light

As discussed you need to think of how much data is needed and what it was originally collected for
His personnel file
That he worked there is a historical fact and the company need to look at what details he supplied.
Eg if the bank account records are in the banking system for payroll and expenditures and the hr system for payroll you have a valid reason to retain these for 7 years as proof of a transaction for a revenue audit.
However can they be modified to anonymise retain the data but remove the ID.

As for all email communication this includes his work email.
As an employer this will be a key reason that non work related communications should be baned off company IT. It's very possible that he wrote to Antie Jane about Uncle Johns delicate medical condition using his company email address and both Jane and John could make a complaint.


And if you have any paper based data this has to be looked at too.

godtabh wrote: »

Its in the hands of some one else now. I am just speculating.

Our reports have a three stage check process. The approver is the important person. He is 'just' the writer. Its likely he could argue that the inclusion or not of his name makes not difference to the report and therefore should be removed.

he's not 'just' anything the three stage process is there for a reason.

However you need to look at how and where the names and CV details are included in reports going forward. In theory he could request that you contact all the recipients of the reports too.

If your co is doing publishing type work as opposed to tenders etc sending them out to a library or getting an ISBN no may be something to think about.

Diceicle

My understanding is that any EU Citizen can request any and all information held on them to be removed - I could, for example, request my payroll dept to remove my details and they would have to comply but would be obliged to inform me of the impacts of doing so.

I would have thought OP would have some ground in arguing retention of the data in terms of continuity of information.

.......

This post has been deleted.

Robbo

Diceicle wrote: »

My understanding is that any EU Citizen can request any and all information held on them to be removed - I could, for example, request my payroll dept to remove my details and they would have to comply but would be obliged to inform me of the impacts of doing so.

I would have thought OP would have some ground in arguing retention of the data in terms of continuity of information.

Your right of erasure is not absolute. This is something that's drifting by a lot of people at present.

Your payroll department may quite rightly refuse as they have to keep records for the Revenue.

Glass fused light

Diceicle wrote: »

My understanding is that any EU Citizen can request any and all information held on them to be removed - I could, for example, request my payroll dept to remove my details and they would have to comply but would be obliged to inform me of the impacts of doing so.

I would have thought OP would have some ground in arguing retention of the data in terms of continuity of information.

Your hr dep will have to split the data with retention policies. Eg bank details and payslips for less time than p60s, p45s and pension etc
The government dep are included in the new legistation so you could try request but it can be refused.

To push it out, if you have a communicable illness, sensitive medical data, which falls on a doctors legal obligation to inform the government you cant demand the doctor wipe your medical file of the result nor that the legistation is not complied with.

The information had to be collected properly and used for its original collection purpose but once the original need to store remains valid and the need remains current the collector can retain the minimum amount of data required.

The problem will be with data which changes. With the op will a cv be covered by a statement of being correct as at x date or should they keep updating for a departed employee.

mickoneill31

You need to look into the legal basis for having his data.

https://gdpr-info.eu/art-6-gdpr/

Consent is only one of the legal basis.
E.g. If he sent work emails or had his name on reports he created, you don't have to delete them just because his name is on them.
You should have a retention policy too though.
You don't need to store them forever.

lobbylad

Can I ask the Revenue Commissioners to delete all my information?

No. Because they have a legitimate interest in keeping my information.

Same holds true for a lot of other cases, for example:

You do not need someone's permission to pass their contact details to a debt collection agency, as long as the debt is genuine etc.
A company may have reasons to retain reports emails etc, for their own audit purposes. For example, if you worked on customer support tickets, a company would be entitled to retain the tickets with your details on them so that they can counter any future issues.

As someone mentioned earlier, the right to be forgotten is not absolute. It can be superseded by the data holders legitimate interests.

BattleCorp

Regarding the ability to request organisations to delete all data containing your personal details, would one have the ability to force a doctor/hospital to delete your medical history?

The reason I am asking this is because this information is often sought by insurance companies when people are applying for life insurance. Previous medical history can also be sought if it is deemed relevant to a personal injury claim.

I'm not advocating this but if one decided to lie when filling out the section of an insurance form regarding past medical history, how would the insurance company be able to check if you were telling the truth?

Same goes with car insurance. People are asked if they have any previous accidents, claims or convictions. If you request the insurance company to delete your details, how would the insurance company be able to check and see if you are telling lies?

Glass fused light

BattleCorp wrote: »

Regarding the ability to request organisations to delete all data containing your personal details, would one have the ability to force a doctor/hospital to delete your medical history?

The reason I am asking this is because this information is often sought by insurance companies when people are applying for life insurance. Previous medical history can also be sought if it is deemed relevant to a personal injury claim.

I'm not advocating this but if one decided to lie when filling out the section of an insurance form regarding past medical history, how would the insurance company be able to check if you were telling the truth?

Same goes with car insurance. People are asked if they have any previous accidents, claims or convictions. If you request the insurance company to delete your details, how would the insurance company be able to check and see if you are telling lies?

No you can request anything to be removed but the data controller has the right to refuse for legitimate reasons.

Insurance contracts are contracts of utmost good faith ie you lie or accidentally omit information and you invalidate the contract. So the lie is only relevant when you make a claim. It's a bit of 'you must provide evidence of anything you wish to later rely on in court'.

WRT the medical file with a Doctor or a hospital, the file is covered under other legal areas and the files have to be maintained by the service provider under different legistation. We all enjoy confidentiality privilege for medical issues, and have to waive this to allow others access to the data. The only exception I can think of is a legal obligation to disclose if the patient is a threat to public health.

Even if you are looking for insurance you have to give your permission. The doctor will normaly only disclose relevant data eg they may have an STI history but if none of the conditions were ongoing and had no lasting impact the doctor would not disclose unless specifically asked. If it caused a problem eg heart condition they could disclose the condition without the source.

If your engaged with a court case the other side can request specific medical details but not necessarily full medical history, but just the bits that would increese or reduce the settlement. This won't change as there is a valid reason for the exchange of data.

Similarly a settlement is a historic event and the insurance company has a legimate reason to retain the data. So the insurance policy data could be for the lifetime of any possible claim which I think is 18 + 2 years for a child claimant? A settlement for the lifetime of the claimants but the medical data etc may have to be deleted earlier. Some of the data can be pooled under current legistation.

listermint

godtabh wrote: »

His name and unique set of qualifications makes him easily identifiable. I’d say so unique there could only be one of him!

My line manager reckons he is doing this as he can rather than anything else

There will be alot of this, i know one guy that went a bit wild sending requests off to companys he has had dealings with. Mostly because he can, bit diskish tbh.

.......

This post has been deleted.

ludalyni

Robbo wrote: »

Your right of erasure is not absolute. This is something that's drifting by a lot of people at present.

Your payroll department may quite rightly refuse as they have to keep records for the Revenue.

This. There is also an obligation under a lot of employment to keep records for a certain period e.g. working time records = 3 years from date of creation,Ts&Cs of employment = duration of employment plus one year etc.

There are a number of grounds an employer can process and retain personal data under GDPR. One of them is where it has a legitimate interest to do so. Another is where there is a legal obligation to do so.

The alsolute key thing with GDPR in an employment (and in other) context is transparency. This means it will be essential for employers to have a data privacy notice / policy which sets out what personal data is being process, the purpose for the processing and the legal basis for processing (or legitimate interest / legal obligation etc). Consent will rarely be possible to rely in an employment relationship because of the inherent imbalance of power in such a relation (i.e. It's seen as not being freely given). This notice / policy should be made freely available to everyone whose personal data may be processed.