Law & Legislation

GDPR – Can I Process Next of Kin Details?

parent working on laptop

Under current data protection laws, it is fine for an organisation to keep emergency contact details. The GDPR will remain reasonably similar, allowing organisations to process next of kin details, including in-death-beneficiary and emergency contact details under legitimate interest processing rules or lawful bases [See article 6]. Further information is available about this in the ICO guide to legitimate interest processing.

As the organisation, legitimate interest processing places the burden of protecting individuals on you. Undertaking a risk/benefits analysis and devising appropriate mitigations might help you gain clarity on what you should and shouldn’t be processing. The CIPL (Centre for Information Policy Leadership) states, “the legitimate interests to be considered may include the interests of the controller, other controller(s), groups of individuals and society as a whole.”

It is unreasonable to expect consent to always be gained for next-of-kin data processing, especially in the circumstances of an in-depth beneficiary. It is reasonable to assume that it is in a person’s best interest to have their data processed as the beneficiary, therefore there is a legitimate interest in processing their personal data. However, be mindful that if the next of kin or beneficiary is a child, then extra steps must be taken to safeguard them when processing their data.

Note: Only children over the age of 13 can give their own consent – if you are processing data for a child under 13 years old, consent by the child’s parent, you do not need consent from the child. The GDPR is clear you must give extra weight to protecting children’s data. See the ICO guide on Children and the GDPR for extra information.

The Three-Step Test for Legitimate Interest

Legitimate interest requires an assessment and balancing of the risks and benefits of processing. The ICO suggest conducting a legitimate interest assessment (LIA), otherwise known as the “three-step test” for determining if your legitimate interests are valid for processing data.

First, identify the legitimate interest(s). Consider:

 * Why do you want to process the data – what are you trying to achieve?

 * Who benefits from the processing? In what way?

 * Are there any wider public benefits to the processing?

 * How important are those benefits?

 * What would the impact be if you couldn’t go ahead?

 * Would your use of the data be unethical or unlawful in any way?

Second, apply the necessity test. Consider:

 * Does this processing actually help to further that interest?

 * Is it a reasonable way to go about it?

 * Is there another less intrusive way to achieve the same result?

Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:

 * What is the nature of your relationship with the individual?

 * Is any of the data particularly sensitive or private?

 * Would people expect you to use their data in this way?

 * Are you happy to explain it to them?

 * Are some people likely to object or find it intrusive?

 * What is the possible impact on the individual?

 * How big an impact might it have on them?

 * Are you processing children’s data?

 * Are any of the individuals vulnerable in any other way?

 * Can you adopt any safeguards to minimise the impact?

 * Can you offer an opt-out?

To help demonstrate compliance, you should keep a log of legitimate interest assessments to show you have a decision-making process in place. This will help defend your case for data processing if you receive any complaints. If your organisation has more than 250 employees you must record all of your data processing activities anyway. However, if you have less than 250 employees, then you only need to register data processing activities that are:

 * Are not occasional; or

 * Could result in a risk to the rights and freedoms of individuals; or

 * Involve the processing of special categories of data or criminal conviction and offence data.

Ultimately when the LIA is complete, you should be able to determine whether or not there is a legitimate interest for data processing, and you should be confident going forward with processing if the legitimate interest exists.

How long should next of kin data be kept?

The ICO states that if an individual leaves employment, then “personal data that is unlikely to be needed again should be removed from the organisation’s records – such as the individual’s emergency contact details, previous addresses, or death-in-service beneficiary details.” Be careful selecting which information you keep or delete, and ensure you remain in line with the law.

This article is not intended to be legal advice. Please seek professional legal advice specific to your circumstances to make sure you are compliant with the law.

See what we’re doing about the GDPR here at People.