Sipping on a pre-prandial ice-cooled G&T has been a big part of appreciating the unusally pleasant bank-holiday weather this year. But whilst enjoying the great outdoors, the ICE I’ve been thinking about is the GDPR kind. That is, the “In Case of Emergency” information gathered by many employers from their staff. A few of our clients have been asking about it: what are the ‘rules’? how to I justify it? what do I have to tell people?
We’ve all got ICE – we are supposed to put contact details of ‘significant others’ (or at the very least a friend) in your passport, and if you are so inclined, listing an ICE on your mobile phone – the emergency services do look for an entry under ‘ICE’, so worth doing, how ever macabre you may find it.
The latter is a personal database, and thus are not subject to the rules and regulations. But in a work context? Many companies insist on collecting ICE: either for health & safety or disaster recovery planning purposes or even just good staff engagement. But there is no getting away from the fact that one person’s ICE is another person’s Personal Information, and it is being processed by a Data Controller. So as you would expect, GDPR does apply.
At JEM we’ve had a few discussions with the ICO, and been considering this for some time. We believe that you can justify holding a 3rd party (and let’s be honest, stranger’s) PI, if you follow the GDPR rules, namely:
- Identify WHY you have it. It could be for one, two or all three of the reasons above, or indeed any other that is particular to you.
- Minimise what you hold, ensuring it is sufficient for this identified purpose and no more.
- Document the Legitimate Interest Assessment, which we suggest is your legal basis for processing
- Include it in your data inventory, and by extension your employee privacy notice, just like everything else: This is what we hold, this is why, this is where we got it from, this is how we secure it, this is who we share it with, this is our legal justification, and this is how and when we dispose of it.
Then there are some extra bits that fall slightly outside the norm:
- Insist that the employee tells their ICE that they have shared their data with you.
- Give the employee a copy of / a URL to the internal Privacy Notice, to give to their ICE contact (and get the employee to confirm that they have done so)
- Your retention policy is that ICE is gone within 24 hours of the completion of employment. Unlike tax records or training, H&S and all the other stuff, there is NO necessity to hold ICE once the employee has moved on.
- Ensure your retention procedures deliver on this promise – and don’t forget to include any DR copies that may be floating around.
It is perfectly sensible for you to hold such information – and your general policies and procedures should ensure it is low risk to the rights and freedoms of the ICE themselves. Just make sure they know you’ve got it, and how they can exercise their rights, just as you would for any other data-subject.
Meanwhile, with all this talk of ice I feel the urge to re-visit the fridge…