How to process personal data in an Organization
From the series regarding how to better protect your privacy and (personal) data if you are either a private person or a business, E-Crime Expert presented How to protect hard copy & electronic private data, Video: How to protect your offline and online privacy and What a Data Protection Officer means for an Organization.
Because of the crucial importance of personal data and private information, and continuously interest and effort in providing good advice, E-Crime Expert is presenting today a useful good practices guide for the processing of personal data in an Organization. This guide should help an Organization follow the legal requirements and foster a positive environment with regards to their employees, clients, contractors and business partners’ private information and data.
For these reasons, when processing personal data, the following basic principles should be followed:
-LAWFULNESS OF PROCESSING
Personal data must be processed fairly and lawfully, be adequate, relevant and not excessive in relation to the purpose for which they are collected and further processed, as well as accurate.
-PROCESSING OF SPECIAL CATEGORIES OF DATA
Data concerning health may be processed, namely in case of its extension due to a maternity and/or sick leave as it is necessary to comply with the controller’s obligations in the area of employment law. Furthermore, within the staff evaluation as such, data revealing trade union membership may be collected. These data may consist of information spontaneously provided in the self-assessment, such as information about membership in a joint committees.
The processing of such data may be justified since it would be considered either necessary for the employer’s compliance with specific rights and legal obligations and/or concern data already manifestly made public by the data subject him or herself or eventually be based on a freely given, specific and
informed indication of his or her wishes (consent of the data subject).
The administrative and evaluation data processed in this context must be necessary for accomplishment of the respective procedure. In this respect, the collection of the following administrative data may be considered excessive for the purpose of staff appraisal:
– date of birth,
– details concerning previous education and career,
– as well as contact details of previous reporting staff.
Also, the collection of medical data within the respective probation reports is deemed unnecessary for the purpose of completion of the particular procedure.
It is recommended that the reason for the extension of the probationary period (sickness, maternity or accident) is provided in a separate note and that no information about the actual diagnosis is processed within the probation procedure.
The data processed must be accurate, and where necessary, kept up to date, whereas every reasonable step must be taken to ensure that inaccurate or incomplete data are erased or rectified.
The accuracy of the administrative data processed in this context can be ensured by the nature of the procedure itself. Part of the data is provided by the data subjects themselves (in the self-assessment, as well as the applications for certification and attestation).
Also, the yearly repetition of appraisal and promotion procedures enables to ensure that the data processed are up to date.
The accuracy of the evaluation data processed is difficult to establish due to their subjective nature. In fact, the evaluation of the staff performance constitutes largely subjective judgments by the hierarchical superiors against specified predefined criteria.
In any case, data subjects must be provided with a possibility to add their comments directly on the respective reports. In addition, data subject rights of access, rectification and/or appeal contribute to the accuracy of the data processed
Personal data may be kept in a form enabling the identification of data subjects for no longer than
necessary for the purposes for which they were collected or further processed. Further storage of data for historical, statistical or scientific purpose is possible in anonymous form only.
The following evaluation related documents containing personal data are being kept in personal files for:
a) career development reports,
b) probation reports,
c) promotion/re-grading decisions, as well as letters confirming the final award of the respective points,
d) certification files of successful applicants (application, training attendance and exam results),
e) attestation decisions.
Promotion, certification, attestation decisions would in principle need to be kept during the career of the member of staff, but not all related documents should be kept after a certain period.
The files of unsuccessful applicants for certification and attestation can be kept until all appeal channels have been exhausted, including the time limits for appeals before Courts.
-COMPATIBLE USE / CHANGE OF PURPOSE
Personal data should be collected for specified, explicit and legitimate purpose and not further
processed in a way incompatible with those purposes.
Processing of data collected within evaluation report for subsequent career development, promotion or re-grading, renewal of contracts, as well as follow up of individual training.
Internal transfers: Data processed within evaluation procedures are mainly transferred to recipients within the same or to other organization or subsidiary.
Such transfers have to be necessary for the legitimate performance of tasks covered by the competence of the recipient who cannot process the data for any other purpose than for which they were transmitted.
External transfers: transfers to external recipients should to be necessary for the performance of a task carried out in the organization’s interest and with the DPO’s guidance.
-RIGHTS OF DATA SUBJECTS
In principle, within the evaluation procedures, data subjects are provided with a copy of their reports and are invited to make comments on them.
They can also obtain access to all the documents in their personal file.
The rectification of the factual data processed should be possible upon request to the controller, whereas the (by nature subjective) evaluation data can be rectified within the respective appeal procedures. In any case, it should be ensured that the revised reports are being added to the personal file.
-INFORMATION TO DATA SUBJECTS
In order to ensure transparency and fairness of the processing, the following
information should be provided to data subjects:
‐ identity of the controller,
‐ purpose of the processing,
‐ data categories,
‐ whether replies to the questions are obligatory or voluntary, as well as possible consequences of failure to reply,
‐ possible data recipients,
‐ existence of rights of access, rectification and recourse
‐ legal basis of the processing,
‐ applicable data retention periods.
– this information should be provided either at the collection of data or before their collection
‐ data protection clause in the respective report form, application form or messages sent to data subjects,
‐ specific privacy statement made available on the Intranet.
Training instructors, external auditors and members of any Examination Boards should sign a ‘confidentiality note’, concerning the storage and hosting of personal data processed within their organization.
Short “Video-surveillance” guide for an organization, if such action is needed:
– provide privacy-friendly technology
– employ consultation of staff and other stakeholders
– indicate the purposes of the surveillance
– indicate the camera locations and viewing angles
– indicate the special categories of data
– avoid or limit the access to areas under heightened expectations of privacy
– provide if the organization has covert surveillance, and the reasons for this.
– indicate the retention period
– keep a register of recordings retained beyond the retention period, register of transfers and disclosures
– indicate the access rights, security measures, transfers and disclosures
– provide who has access to recordings, registers
– provide who is in charge and who is accountable
If you need the service of an external Data protection Officer contact: firstname.lastname@example.org
Any questions about Data Protection Officer can be submitted to: email@example.com
Additional information can be found at: www.e-crimeexpert.com
Does your Organization process personal data? Does your Organization has Internal rules in regards to the processing of personal data? Would you be interested in becoming a Certified International Privacy Professional (you can find out how here)?
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.