GDPR – Can I Process Next of Kin Details?
Under current data protection laws, it is fine for an organisation to keep emergency contact details. The GDPR will remain reasonably similar, allowing organisations to process next of kin details, including in-death-beneficiary and emergency contact details under legitimate interest processing rules or lawful bases [See article 6]. Further information is available about this in the ICO guide to legitimate interest processing.
As the organisation, legitimate interest processing places the burden of protecting individuals on you. Undertaking a risk/benefits analysis and devising appropriate mitigations might help you gain clarity on what you should and shouldn’t be processing. The CIPL (Centre for Information Policy Leadership) state, “the legitimate interests to be considered may include the interests of the controller, other controller(s), groups of individuals and society as a whole.”
It is unreasonable to expect that consent can always be gained for next of kin data processing, especially in the circumstances of in-death beneficiary. It is reasonable to assume that it is in a person’s best interest to have their data processed as the beneficiary, therefore there is a legitimate interest to process their personal data. However, be mindful that if the next of kin or beneficiary is a child, then extra steps must be taken to safeguard them when processing their data.
Note: Only children over the age of 13 can give their own consent – if you are processing data for a child under 13 years old, consented by the child’s parent, you do not need consent from the child. The GDPR is clear you must give extra weight to protecting children’s data. See the ICO guide on Children and the GDPR for extra information.
The Three-Step Test for Legitimate Interest
Legitimate interest requires an assessment and balancing of the risks and benefits of processing. The ICO suggest conducting a legitimate interest assessment (LIA), otherwise known as the “three-step test” for determining if your legitimate interests are valid for processing data.
First, identify the legitimate interest(s). Consider:
- Why do you want to process the data – what are you trying to achieve?
- Who benefits from the processing? In what way?
- Are there any wider public benefits to the processing?
- How important are those benefits?
- What would the impact be if you couldn’t go ahead?
- Would your use of the data be unethical or unlawful in any way?
Second, apply the necessity test. Consider:
- Does this processing actually help to further that interest?
- Is it a reasonable way to go about it?
- Is there another less intrusive way to achieve the same result?
Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:
- What is the nature of your relationship with the individual?
- Is any of the data particularly sensitive or private?
- Would people expect you to use their data in this way?
- Are you happy to explain it to them?
- Are some people likely to object or find it intrusive?
- What is the possible impact on the individual?
- How big an impact might it have on them?
- Are you processing children’s data?
- Are any of the individuals vulnerable in any other way?
- Can you adopt any safeguards to minimise the impact?
- Can you offer an opt-out?
To help demonstrate compliance, you should keep a log of legitimate interest assessments to show you have a decision-making process in place. This will help defend your case for data processing if you receive any complaints. If your organisation has more than 250 employees you must record all of your data processing activities anyway. However, if you have less than 250 employees, then you only need to record data processing activities that are:
- Are not occasional; or
- Could result in a risk to the rights and freedoms of individuals; or
- Involve the processing of special categories of data or criminal conviction and offence data.
Ultimately when the LIA is complete, you should be able to determine whether or not there is a legitimate interest for data processing, and you should be confident going forward with processing if the legitimate interest exists.
How long should next of kin data be kept for?
The ICO states that if an individual leaves employment, then “personal data that is unlikely to be needed again should be removed from the organisation’s records – such as the individual’s emergency contact details, previous addresses, or death-in-service beneficiary details.” Be careful selecting which information you keep or delete, and ensure you remain in line with the law.
This article is not intended to be legal advice. Please seek professional legal advice specific to your circumstances to make sure you are compliant with the law.
Stay ahead with HR
Get free HR insights, expert tips and exclusive interviews, and start making more impact at work
HR Software Optimised for Beaches or Sofas
What would you do with the unrestricted freedom to work from anywhere? Would you stay in the office, work from your sofa or kick back and work from the comfort of sandy paradise? This 1min video is all about HR software optimised for beaches and sofas. Enjoy!
Will Your HR Software Survive the Mobile Revolution
Why HR Super Heroes Need ‘Responsive Design’
Embark on your most ambitious HR journey to date
This short video takes you through the different ways people helps you work smarter, challenge your abilities and get yourself noticed – all using one simple, stunning cloud-based platform.
What is the Bradford Factor?
Ever wondered how the Bradford Factor formula calculates your employees' absence scores? Check out this graphic to have the Bradford Factor calculation explained to you clearly.
So… Who Exactly ARE You?!
If you like the sound of People, but you’re not familiar with the name… then it’s only natural that you’ll have questions.
6 Reasons People’s HR System Delivers Something Different
So many HR systems claim to be different. But when you actually look at what they offer, it’s easy to see that they’re all selling the same old thing...
See People HR in action
View our short video demo
Get started absolutely free
No credit card required