The GDPR came into force on 25th May 2018, but continues to raise tricky questions about what amounts to personal data and when this can be used. In this blog, we look at the GDPR implications for employers on processing next of kin or emergency contact information.
The main issues which arise with this data are:
There must be a lawful basis for processing personal data. In the case of next of kin information, consent would not be the appropriate basis as the consent would need to be that of the next of kin rather than the employee who provided the details. Obtaining such consent is likely to be time consuming and administratively burdensome, particularly in organisations with a large number of employees or a high turnover of employees.
A potential lawful basis for processing such data is that it is in the legitimate interests of the data subject for their employer to hold that information, in order that their family can be contacted should they take ill at work, for example. Use for this purpose should not outweigh the rights of the data subject and should be proportionate. For example, it would be more proportionate to hold details of one emergency contact, which is limited to their name and telephone number, than to hold details of numerous contacts or excessive information about the next of kin contact than is required.
The further question which arises is whether the next of kin should be informed that their data is held and how it is stored and processed in the privacy notice which the GDPR requires to be provided to those whose data is processed.
The Information Commissioner indicates that information about data being processed – if collected from a third party – does not need to be provided if doing so would involve a disproportionate effort. Arguably, this could be relied upon in regards to holding next of kin details as, in many cases, the data held is minimal, held for one very specific purpose and is likely to be protected by virtue of being held on an employee’s personnel file which will already be subject to data security measures. Writing to the next of kin would potentially require having the next of kin’s postal address or email address: further personal data which is not actually required in the first place for the purposes the next of kin details are held for.
However, processing of such data is a question of judgement for individual data controllers and regard should be had to the nature of the business, data impact risk assessment and other relevant circumstances. The key is ensuring that data protection principles are complied with and there has been a proper assessment of the processing to be carried out and the personal data held, and that there is proper justification for the processing and holding of the data in question.