GDPR AND THE ‘RIGHT TO BE INFORMED’


17th May 2018

Lewis Bretts comments on the ICO’s Guidance on the ‘right to be informed’ under the GDPR.

 

Finally! Some much needed detailed guidance from the ICO on the ‘right to be informed’ as set out in Articles 13 and 14 of the GDPR (and elsewhere). Nothing like leaving it to the last minute…

If you’ve previously pored over the Article 29 Working Party Guidelines on Transparency, there isn’t much that is surprising.

The (oft repeated) cautions against ‘lengthy and legalistic’ notices are worth noting, and the reminder about reputational damage may assist those trying to persuade internal clients of the importance of honesty and transparency.

However, for those struggling with the meaning of ‘disproportionate effort’ in Article 14(5)b, there is a welcome example:

“At the start of each academic year, a school obtains the name and contact details of individuals when it collects emergency contact information from the parents or guardians of children that have enrolled that year. The school assesses that the effort involved for it to write to every emergency contact to provide them with privacy information is disproportionate in relation to the effect that the use of their personal data will have on them (contacting them in the event of an emergency).

As such, the school does not actively provide privacy information to each emergency contact, however it does publish information on the use of emergency contact details on its website. It also carries out a DPIA and decides that to further mitigate any risks, it will put a policy in place to specify the strict limited use of emergency contact details, and places restrictions on its computer system so that only authorised members of staff have access to these details.”

It’s not law of course, (and to my mind it’s a step further on from the WP29 guidelines which refer to day patient’s next of kin in a ‘large metropolitan hospital’), but it will provide real comfort to those concerned about article 14 compliance. Perhaps employers don’t need to actively contact every single employee’s emergency contacts after all…

 

Lewis Bretts, May 2018.