Welcome Guest! The IOSH forums are a free resource to both members and non-members. Login or register to use them

Postings made by forum users are personal opinions. IOSH is not responsible for the content or accuracy of any of the information contained in forum postings. Please carefully consider any advice you receive.

Notification

Icon
Error

Options
Go to last post Go to first unread
dennispollard  
#1 Posted : 17 February 2020 17:12:22(UTC)
Rank: Forum user
dennispollard

The new laws state I am unable to send my client my Engineer’s competencies, does anyone else have this same issue? Is there a way I can get around this? As some of my clients require to check competencies in order to book the works and to write permits etc.

chris42  
#2 Posted : 17 February 2020 17:27:05(UTC)
Rank: Super forum user
chris42

Just get the persons written permission to allow you to send specific information out to clients if its an issue.

Chris

Roundtuit  
#3 Posted : 17 February 2020 19:44:42(UTC)
Rank: Super forum user
Roundtuit

We are well into the DPA 2018 and yours is the first post I can recall on the forum on this topic. There will be hundreds in construction emailing copies of various plant and operator cards to clients so what is it in the legal text you perceive prevents transmission? DPA does not apply to the lawful execution of a contract. If that contract necessitates proof of competence for completion DPA is not a block.
thanks 4 users thanked Roundtuit for this useful post.
Wailes900134 on 18/02/2020(UTC), anandhabharathi on 19/02/2020(UTC), Wailes900134 on 18/02/2020(UTC), anandhabharathi on 19/02/2020(UTC)
Roundtuit  
#4 Posted : 17 February 2020 19:44:42(UTC)
Rank: Super forum user
Roundtuit

We are well into the DPA 2018 and yours is the first post I can recall on the forum on this topic. There will be hundreds in construction emailing copies of various plant and operator cards to clients so what is it in the legal text you perceive prevents transmission? DPA does not apply to the lawful execution of a contract. If that contract necessitates proof of competence for completion DPA is not a block.
thanks 4 users thanked Roundtuit for this useful post.
Wailes900134 on 18/02/2020(UTC), anandhabharathi on 19/02/2020(UTC), Wailes900134 on 18/02/2020(UTC), anandhabharathi on 19/02/2020(UTC)
JohnW  
#5 Posted : 17 February 2020 21:38:30(UTC)
Rank: Super forum user
JohnW

Dennis, Ask your client for a copy of their GDPR Consent Form, complete it and return it with your certs. John
Roundtuit  
#6 Posted : 17 February 2020 21:50:46(UTC)
Rank: Super forum user
Roundtuit

How does a clients GDPR form relate to the suppliers employee data?

What you need is their policy on handling and processing third party information.

The purposes "of data" are the legal responsibility of the employer under the Data Protection Act.

thanks 2 users thanked Roundtuit for this useful post.
A Kurdziel on 19/02/2020(UTC), A Kurdziel on 19/02/2020(UTC)
Roundtuit  
#7 Posted : 17 February 2020 21:50:46(UTC)
Rank: Super forum user
Roundtuit

How does a clients GDPR form relate to the suppliers employee data?

What you need is their policy on handling and processing third party information.

The purposes "of data" are the legal responsibility of the employer under the Data Protection Act.

thanks 2 users thanked Roundtuit for this useful post.
A Kurdziel on 19/02/2020(UTC), A Kurdziel on 19/02/2020(UTC)
JohnW  
#8 Posted : 18 February 2020 08:22:56(UTC)
Rank: Super forum user
JohnW

GDPR is a general requirement, so a business must control the storage and use of data of employees, contractors and customers. My clients hold copies of my CV, NEBOSH certs, IOSH card etc and have a duty to handle that data according to the GDPR and I give them my consent to keep only electronic copies of that data, no print-outs or sharing of that data.

Edited by user 18 February 2020 08:37:40(UTC)  | Reason: typo

dennispollard  
#9 Posted : 18 February 2020 08:23:55(UTC)
Rank: Forum user
dennispollard

Thanks for the information 

stevedm  
#10 Posted : 18 February 2020 08:40:02(UTC)
Rank: Super forum user
stevedm

Denis as chris says get the permission from the trainee to send that information on ...you may want to add it to any assessment so that the trainee signs to agree to send a copy or that it is therer responsibility to provide a copy to thier employer...in the case of the regulation you are the data controller and must ensure that any information handed over has a signature granting that right and evidence to show the handover/ consent chain...

Roundtuit  
#11 Posted : 18 February 2020 08:41:32(UTC)
Rank: Super forum user
Roundtuit

Originally Posted by: JohnW Go to Quoted Post
My clients hold copies of .... and I give them my consent ......

A situation that would work well for a single consultant or sole trader.

When you look at the contractor and a large pool of potential signatories, many unlikely to be anywhere near the office, you have created an unecessary bureacracy. Here consent should be given to the employer by the employee and it is the employers duty to validate 3rd party policy before passing over employee information.

thanks 2 users thanked Roundtuit for this useful post.
jmaclaughlin on 18/02/2020(UTC), jmaclaughlin on 18/02/2020(UTC)
Roundtuit  
#12 Posted : 18 February 2020 08:41:32(UTC)
Rank: Super forum user
Roundtuit

Originally Posted by: JohnW Go to Quoted Post
My clients hold copies of .... and I give them my consent ......

A situation that would work well for a single consultant or sole trader.

When you look at the contractor and a large pool of potential signatories, many unlikely to be anywhere near the office, you have created an unecessary bureacracy. Here consent should be given to the employer by the employee and it is the employers duty to validate 3rd party policy before passing over employee information.

thanks 2 users thanked Roundtuit for this useful post.
jmaclaughlin on 18/02/2020(UTC), jmaclaughlin on 18/02/2020(UTC)
Hsquared14  
#13 Posted : 18 February 2020 13:08:47(UTC)
Rank: Super forum user
Hsquared14

The new law does not state that you can't send your client details of your employee's competencies it says you can't send them SENSITIVE PERSONAL data - there is a big difference.  Read the guidance. 

https://www.gov.uk/government/publications/guide-to-the-general-data-protection-regulation

It's very self explanatory there is no reason why you can't send the certificates through so long as the data does not come into the class of sensitive.

JohnW  
#14 Posted : 19 February 2020 08:58:37(UTC)
Rank: Super forum user
JohnW

Originally Posted by: Hsquared14 Go to Quoted Post

.....no reason why you can't send the certificates through so long as the data does not come into the class of sensitive.

I consider qualifiation certificates as 'vulnerable' data, i.e. data which could be used by fraudsters, impersonators, so I would still want the client to give assurance (via a consent form and data policy) that the data is held securely and access/processing is limited.

​​​​​​​John

A Kurdziel  
#15 Posted : 19 February 2020 09:16:52(UTC)
Rank: Super forum user
A Kurdziel

Data Protection laws are about the responsibility of businesses (and others) to manage other people’s personal data. It does not relate to your data about yourself. That is yours and you can voluntary send it to any one you like. You can print a copy of your CV on a T-shirt and parade it up and down the street for all to see. You data is your’s.

 

dennispollard  
#16 Posted : 19 February 2020 09:22:42(UTC)
Rank: Forum user
dennispollard

Originally Posted by: Hsquared14 Go to Quoted Post

The new law does not state that you can't send your client details of your employee's competencies it says you can't send them SENSITIVE PERSONAL data - there is a big difference.  Read the guidance. 

https://www.gov.uk/government/publications/guide-to-the-general-data-protection-regulation

It's very self explanatory there is no reason why you can't send the certificates through so long as the data does not come into the class of sensitive.

But surely the information thats on the competency card could be classed as sensitive as you are getting the name, sex, photo and sometime the DOB, this information could be used by fraudsters 

dennispollard  
#17 Posted : 19 February 2020 09:32:21(UTC)
Rank: Forum user
dennispollard

Originally Posted by: A Kurdziel Go to Quoted Post

Data Protection laws are about the responsibility of businesses (and others) to manage other people’s personal data. It does not relate to your data about yourself. That is yours and you can voluntary send it to any one you like. You can print a copy of your CV on a T-shirt and parade it up and down the street for all to see. You data is your’s.

Thank you for your comment, i am mainly asking about sending my Engineers data to my clients

 

A Kurdziel  
#18 Posted : 19 February 2020 09:32:33(UTC)
Rank: Super forum user
A Kurdziel

“But surely the information that’s on the competency card could be classed as sensitive as you are getting the name, sex, photo and sometime the DOB, this information could be used by fraudsters”

Protecting a person identity is not what Data Protection is about. The laws are intended to stop people misusing data that they hold on you for nefarious purposes including putting you onto black lists, giving you wrong credit scores, accusing you of being a criminal etc. 

Roundtuit  
#19 Posted : 19 February 2020 09:34:21(UTC)
Rank: Super forum user
Roundtuit

You review the clients policy and if it is satisfactory:

You password protect the file - in this case the competency certificate.

This is sent to the client.

You then separately send the password so they can view the file.

The emails (or covering letter should you wish to send them by media - CD, USB or SD Card) become your record of how you handled the sensitive data.

Roundtuit  
#20 Posted : 19 February 2020 09:34:21(UTC)
Rank: Super forum user
Roundtuit

You review the clients policy and if it is satisfactory:

You password protect the file - in this case the competency certificate.

This is sent to the client.

You then separately send the password so they can view the file.

The emails (or covering letter should you wish to send them by media - CD, USB or SD Card) become your record of how you handled the sensitive data.

JohnW  
#21 Posted : 19 February 2020 10:08:05(UTC)
Rank: Super forum user
JohnW

Originally Posted by: A Kurdziel Go to Quoted Post

Protecting a person identity is not what Data Protection is about. The laws are intended to stop people misusing data that they hold on you for nefarious purposes including putting you onto black lists, giving you wrong credit scores, accusing you of being a criminal etc. 

No. If you check the ICO guidance they define 'personal data' and 'sensitive data' etc.

First on their list is 'personal data', they say:

What information does the GDPR apply to? Personal data The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

So applies to address, driving licence no., CV, certificates etc

John

Hsquared14  
#22 Posted : 19 February 2020 12:35:38(UTC)
Rank: Super forum user
Hsquared14

Originally Posted by: dennispollard Go to Quoted Post
Originally Posted by: Hsquared14 Go to Quoted Post

The new law does not state that you can't send your client details of your employee's competencies it says you can't send them SENSITIVE PERSONAL data - there is a big difference.  Read the guidance. 

https://www.gov.uk/government/publications/guide-to-the-general-data-protection-regulation

It's very self explanatory there is no reason why you can't send the certificates through so long as the data does not come into the class of sensitive.

But surely the information thats on the competency card could be classed as sensitive as you are getting the name, sex, photo and sometime the DOB, this information could be used by fraudsters 

No it isn't - the nature of sensitive information is clearly defined in the guidance to the GDPR and you need to read it not make guesses about what the act applies to and what constitutes sensitive data as defined in the Act. 

JohnW  
#23 Posted : 19 February 2020 13:32:16(UTC)
Rank: Super forum user
JohnW

Originally Posted by: Hsquared14 Go to Quoted Post
Originally Posted by: dennispollard Go to Quoted Post
Originally Posted by: Hsquared14 Go to Quoted Post
The new law does not state that you can't send your client details of your employee's competencies it says you can't send them SENSITIVE PERSONAL data - there is a big difference. Read the guidance. https://www.gov.uk/gover...ta-protection-regulation It's very self explanatory there is no reason why you can't send the certificates through so long as the data does not come into the class of sensitive.
But surely the information thats on the competency card could be classed as sensitive as you are getting the name, sex, photo and sometime the DOB, this information could be used by fraudsters
No it isn't - the nature of sensitive information is clearly defined in the guidance to the GDPR and you need to read it not make guesses about what the act applies to and what constitutes sensitive data as defined in the Act.
As I said earlier, the ICO guidance defines 'personal data' and 'sensitive data' etc. BOTH have to be controlled/processed appropriately. In their definitions, first on their list is 'personal data', they say: What information does the GDPR apply to? Personal data The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. So GDPR applies to address, driving licence no., CV, certificates etc John

Edited by user 19 February 2020 13:33:42(UTC)  | Reason: Typo

Users browsing this topic
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.