Good afternoon, Could I have your thoughts on –
Lets say for this purpose our Business Continuity Director wants access to Director level/above personal address/email address and contact number so that they can be contacted outside of work should they need to be. For example where there is an emergency situation that needs dealing with. Our Privacy notice currently states –
In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties provided your interests and fundamental rights do not override those interests. Some of the above grounds for processing will overlap and there may be several grounds which justify use of your personal information.
The individual has access to some Director level/above personal address/email address and contact number where they are a direct report but is requesting access to the individuals who are not a direct report (they are their direct reports report)
Can a lawful basis other than consent be used? Can we rely on legitimate interest as a lawful basis for providing access? I was considering vital interest but this would be accessible regardless of whether there was an emergency or not.
I’m curious why you would not just ask the Directors in question for consent? Alternatively could you not provide them with a work phone on which the Business Continuity Director could contact them if necessary?
Consent is an absolute no for this. Ask yourself, if we use consent what would we do if they don’t consent…not contact them in case of an emergency!?!?!?! That just doesn’t work.
I would consider the use of private email/phone number of an employee by an employer in case of an emergency as custom and practice, and the lawful basis as legitimate interest.
low risk to employee, rights and freedoms etc so crack on IMO
Just be aware of process creep and watch for sending stuff to a personal email address for non emergency work stuff, when the person is on annual leave etc etc
usual rules apply for sharing PII by email i.e. don’t lol!
I would say you need to assess the necessity of getting the personal contact details of all those employees. For senior members, whose involvement is necessary in case of an emergency, I would say it meets such requirement, and legitimate interest can be used. however, it is the same for the rest of the employees? I’d depends on the purpose, what kind of emergencies? Based on this, the relevant lawful basis should be used, legitimate interest or consent. But you also should consider whether the consent would actually meet the requirements of freely given in an employment context, and they can withdraw it at any time without consequences. If this leads to the idea that actually the contact details are necessary, then probably legitimate interest is the right option. Or is it necessary at all?