Have you received your privacy notice from your employer? Have your children, teenager received theirs from the educational establishment they attend? And what about you the civil servant who work for the Police, the Fire Brigade, the local Hospital or the Council, have you received your privacy notice?
The first principle of GDPR – Article 5 affects us all regardless of who you work for. It makes it clear that your personal data shall be processed lawfully, fairly and in a transparent manner in relation to you the data subject – the employee, the student, the pupil, the ambulance driver, the police officer, the journalist, the FoI Officer for example.
Articles 13 sets out the Information to be provided (to you the data subject) where personal data is collected from you the data subject and; Article 14 give details of what information is to be provided where personal data has not been obtained from you the data subject therefore complying with that principle (and that information should be provided at the time it is collected (if it is collected directly from the data subject)). So your National Insurance number, your tax code, your grades at school,howmany days you have had off work etc
The Information Commissioner’s Office (ICO) spells this out very clearly on their website as it says:
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.
Now we know that your are NOT going to spend your time reading dull boring legislation, so we have done it for you. The ICO’s guide-to-the-general-data-protection-regulation, it is ostensibly predicated on the understanding that privacy notices will be made available to data subjects, effectively as a prerequisite to overall compliance.
So to put this into layman’s terms, all employers, education settings (schools, colleges and universities), local authorities, the Police, Saga PLC, East Kent Hospitals are data controllers and data processors in their own right and, as such, they have a duty to inform employees, pupils, staff and parents how they process the data that is within their control. This they have had to do since the introduction of GDPR on May 25th 2018, by giving you a privacy notice, by law.
So here are some template Privacy Notices you as an employee or your child at school should have received by now as GDPR was introduced over 11 months ago nearly.
With the templates in mind, we know of employers and schools who have NOT issued the required GDPR privacy notices to their pupils/students and employees.
Getting the right to be informed wrong can leave the data controller open to fines (as well as serious reputational damage), one wonders if those schools and employers will self report to the ICO for a fundamental infringement of a fundamental right?
If you haven’t received such a privacy notice ask your HR Department for one asap, if they refuse, then go to the ICO
The Shepwayvox Team
Journalism for the People NOT the Powereful