when does personal information become your employers to use?

[ik9000]

So, work wants to put all our photos and CV summaries on its website ie for all staff not just senior management (which I'm not). I don't want my details sharing for the same reason I don't have a public facebook profile or social media accounts. Are there any grounds for saying no without looking like a complete problem case? Does anyone know of any precedents I can refer to? With GDPR can they make me/overule and do it anyway?

It would be a non-work-specific CV as in extending to hobbies, interests and things presumably intended to endear us to visitors to our website, not just direct work related project experience etc.

I am not happy with this and do not want l'internet to be able to google me and find out things I do in my personal time - nor to have my photo shared in an uncontrolled manner. FFS what relevance is it if I do (made-up but for the sake of argument) flower arranging and collect milk bottle tops in my spare time? Clients are employing me to design them a project not inviting me round for dinner parties.

They've given me a form they expect me to fill out. Do I refuse? Or should I caveat it heavily so at least they can't say I was obstructive? I've dodged the last two requests due to it getting buried in more urgent stuff more than anything but the partners here are pretty clear they expect me to return it. What do I do?

[PC-LAD]

Unless you agreed on paper you just say no. https://www.gov.uk/personal-data-my-...-keep-about-me

[spacein_vader]

This largely breaks down into 2 types of information: Things they need your consent to publish and things they don't.

Things they don't need your consent to publish:

Your name, your job role, your work email address, your work phone/mobile number, your work email address, any qualifications you have acquired through them (or ones that you acquired elsewhere but are a legal requirement to fulfil the role you do,) and any projects or clients you are currently or have ever worked for them on/with, including samples of that work if owned by the firm.

The work contact details aren't yours, they belong to the company. As a result they are the companies data and therefore doesn't fall under the Data Protection Act (DPA). Unless you have a very unusual contract it likely states that your work/training produced while working for them remain their property rather than yours, so anything in there that could be seen as personal data would be permissible under the Contract lawful basis. Any qualifications that are a legal requirement for you to hold for a given position would either be covered under contract or Legal Obligation. You could try to argue that your name could be excluded but if your email is Joe.Blogg@company.com its rather moot and they'd almost certainly win if they argued Legitimate Interest as well.

Things they do need your consent for:

Everything else.

They have no right to use a photo for anything other than ID cards or similar (that use would be covered under Contract and possibly also Legal Obligation as they have a legal requirement to keep your workplace safe under the Health & Safety at Work Act,) and no right to any of the rest at all except with your consent.

Your options.

1. Fill out any parts of the form that they do have the right to use (email address etc, assuming that's in the form,) but nothing else.
2. Send an email to whomever is asking for the form, (CC'ing in your companies Data Protection Officer or similar if they have one,) stating that you deny consent to have the details they have requested published and so will not be filling in the form unless they can provide you with a justification for using the data under one of the other 5 permissible Lawful Basis (which they almost certainly won't be able to do.)
3. If the Org does have a DPO or similar ask to see them first before any of the above.

If you'd like some help drafting an email for option 2 I can provide the relevent legal citations and language, either reply here or PM me.


SOURCE: I'm a Data Protection Officer for an organisation of circa 600 people. Of course, you do only have my word for that so it's up to you.

[ik9000]

Not clear how far that protection goes though. Eg can they list my name on the website without my consent? The way they're trying to set up the website suggests it would be difficult to prevent this through project summaries naming the staff who worked on them.

Edit - was writing that while SI did their post. Thanks that is v useful. I may well get in touch.

[spacein_vader]

Not clear how far that protection goes though. Eg can they list my name on the website without my consent? The way they're trying to set up the website suggests it would be difficult to prevent this through project summaries naming the staff who worked on them.

Edit - was writing that while SI did their post. Thanks that is v useful. I may well get in touch.

No problem. If you do get in touch you can keep things vague but I am working on the assumptions that:

1. You work for a private company rather than a public body or charity.
2. You are an employee not a contractor/self employed.
3. You're based in the UK.

If any of those assumptions are wrong you'd need to let me know. It'd be handy to know if your organisation does have a Data Protection Officer too, but it's not the end of the world if you don't know.

[ik9000]

No problem. If you do get in touch you can keep things vague but I am working on the assumptions that:

1. You work for a private company rather than a public body or charity.
2. You are an employee not a contractor/self employed.
3. You're based in the UK.

If any of those assumptions are wrong you'd need to let me know. It'd be handy to know if your organisation does have a Data Protection Officer too, but it's not the end of the world if you don't know.

no DPO, yes to the 3 assumptions above.

[Saracen999]

no DPO, yes to the 3 assumptions above.

I'll defer to the expert (S-I) on the DP bits, but that suggests that this website is some manager's personal pet wheeze, and they just don't know they may be acting illegally.

Oh, and if they tried that with me, I'd throw a right shi .... erm, wobbly.

[spacein_vader]

I'll defer to the expert (S-I) on the DP bits, but that suggests that this website is some manager's personal pet wheeze, and they just don't know they may be acting illegally.

Oh, and if they tried that with me, I'd throw a right shi .... erm, wobbly.

That's a good point, a formal email quoting extracts from laws is a bit heavy for raising the issue for the first time. I'd make sure you've tried an informal chat/email first just in case it dawns on them they shouldn't do it. I'll PM you with something more formal assuming the above fails.

[Terbinator]

I suppose they could just use a 'cooming soon' placeholder for the website photo indefinitely?

[peterb]

Quick thanks from me to S-I for picking this up. I never cease to be surprised and the range of talent on the boards. HEXUS at its best!

[Saracen999]

That's a good point, a formal email quoting extracts from laws is a bit heavy for raising the issue for the first time. I'd make sure you've tried an informal chat/email first just in case it dawns on them they shouldn't do it. I'll PM you with something more formal assuming the above fails.

I'd entirely agree about not being heavy-handed .... initially. It is rarely a constructive career move to be seen as obstructive. So yes, absolutely agree that 'raising the question' of dubious legality is a ... polite ... way to fire a warning shot. And if it causes a rethink, then job done.

But if they persist, then a decision needs to be taken about how far to push any resistance, bearing in mind potential adverse career impact.

And on that, personally, I would draw a very firm line, but then, I'm financially independent enough (i.e. rent/mortgage free) and of an age (i.e. semi-retired and able to fully quit, on a whim) to face very little effective adverse reaction. On top of that, I've been self-employed for several decades so falling out with one "employer" holds little fear, and personal privacy is a serious priority for me.

TL : DR version = I'd quit rather than put up with that, but I'm in a position where I can. I don't need to worry about career or feeding the kids.

P.S. A family member put my wedding photos on his website about 20 years ago. I asked for them to be removed (and they were) as I didn't want them on the web. So I get the feeling about an employer doing it.

[spacein_vader]

Always happy to help where I can

If IK9000 finds it useful and is happy for me to I'll share the wording in the thread if it might help others in future.

Definitely worth the low key approach first. I'd go in with something like "I understand the idea but I'm worried the company is leaving itself open to a breach of the Data Protection Act and GDPR. It'll be pretty admin heavy keeping consent records and generating a privacy statement for everything/everyone on the site too. Is there any way we could have a similar effect without all that overhead?"

[spacein_vader]

Always happy to help where I can

If IK9000 finds it useful and is happy for me to I'll share the wording in the thread if it might help others in future.

Definitely worth the low key approach first. I'd go in with something like "I understand the idea but I'm worried the company is leaving itself open to a breach of the Data Protection Act and GDPR. It'll be pretty admin heavy keeping consent records and generating a privacy statement for everything/everyone on the site too. Is there any way we could have a similar effect without all that overhead?"

[Top_gun]

Personally I would invoke Article 8 of ECHR which should cover privacy at work. The DPA & GDPR are really just generic laws for data held on computers.

https://www.citizensadvice.org.uk/la...d-family-life/

[Saracen999]

Personally I would invoke Article 8 of ECHR which should cover privacy at work. The DPA & GDPR are really just generic laws for data held on computers.

https://www.citizensadvice.org.uk/la...d-family-life/

Ummm, no. Unless I badly misremember, the HRA refers to protection from the state, i.e. national government, police, local authorities, other state bodies, and only from the state. But not private companies, other private bodies or individuals. Spacein_vader already covered that with his 'assumption check' which ik9000 confirmed.

Or am I misremembering?

[Saracen999]

Seems I'm not misremembering. Sort-of.

Folliwing that Citizen's Advice link, Top_gun, scroll down to the "Next Steps" links bit and the third one, "Who's breaching ..... " includes

In the UK, human rights are protected by the Human Rights Act 1998. Only public authorities must follow the Human Rights Act.

This means you can take action under the Human Rights Act if a public authority has breached your human rights. But you can’t take action against a private individual as they’re not covered by the Act.

Page .... https://www.citizensadvice.org.uk/la...-human-rights/



So it all comes down to whether ik's employers carry out "public functions" and thus qualify.