The first principle of GDPR says that personal data shall be processed in a transparent manner. Articles 13 and 14 give details of what information should be provided to data subjects to comply with that principle (and that information should be provided at the time it is collected (if it is collected directly from the data subject)).
As the Information Commissioner’s Office (ICO) says
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. [emphasis added]
Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage
If you read the ICO’s Guide to GDPR, it is largely predicated on the understanding that privacy notices will be made available to data subjects, effectively as a prerequisite to overall compliance.
So, one thing a data controller must – surely – prioritise (and have prioritised, in advance of GDPR becoming applicable in May 2018) is the preparation and giving of appropriate privacy notices, including to its own employees.
With that in mind, I was
interested surprised astounded well-and-truly-gobsmacked to see an admission, on the “WhatDoTheyKnow” website, that the ICO itself has – almost a year on from GDPR’s start – not yet prepared, let alone given, its own staff a GDPR privacy notice
I can confirm we do not currently hold the information you have requested. The privacy notice for ICO employees is currently under construction.
As getting the right to be informed wrong can leave one open to fines (as well as reputational damage), one wonders if ICO is considering fining itself for this fundamental infringement of a fundamental right?
The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.
10 responses to “ICO hasn’t given own staff a GDPR privacy notice”
What would such a privacy notice look like? Any exemplary privacy notices you can guide one to?
Some examples here – I haven’t really checked them to see if they’re exemplary though: https://www.gov.uk/government/publications/data-protection-and-privacy-privacy-notices
So would Data Controllers of local political parties need to give a privacy notice to candidates and volunteers? And how would a ‘data subject – ‘ ie an elector on a the register which gets given to parties – stop/prevent the party from delivering mail to it when it’s not wanted?
In answer to your first question, in principle yes. However, there may be exemptions to the obligation – I haven’t checked. In answer to your second question there are electoral laws overriding data protection law which permit the (limited) sending of political campaign leaflets to individuals.
Maybe they are exercising their right to have forgotten?
Pingback: Oops! Almost a year in and ICO staff haven't been handed a GDPR privacy notice yet - ITSecurity.Org
Pingback: Oops! Almost a year in and ICO staff haven't been handed a GDPR privacy notice yet - AML Midlands Ltd
Pingback: Does Microsoft Violate GDPR? European Regulator Asks Tough Questions - Security Boulevard
Pingback: GDPR Anniversary – Passing Thoughts (+ Unintended Effects pt 2) – Acting Ultra Virus
Pingback: ICO hasn’t given own staff a GDPR privacy notice — informationrightsandwrongs – The Cognitive CISO