The simple act of posting a Staff, Employee, Team list on your website may breach data protection legislation. Most organisations will need to be able to evidence consent from all those who have their names listed and in situations where vital interest or public duty is relied on you will need to be able to evidence that it is “necessary”, easier said than done we suspect.
The GDPR (General Data Protection Regulations) require organisations to justify how and why they use data. In simple terms this means the organisation needs to identify and record the purpose and legal basis for processing all personal data.
Most of the lawful bases for processing depend on the processing being “necessary”.
This does not mean that processing has to be absolutely essential. But the processing must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data.
The lawful basis for processing must be established BEFORE the processing takes place and recorded
Most organisations publish team lists on their website to make their organisation appear more attractive to potential customers. Basically, a marketing and promotional activity which will require consent to be given by each member of staff whose name is listed; or the requirement to have their name listed on the website written into their contract of employment.
Some organisations may consider there to be a vital interest or public duty benefit, for example safeguarding, that allows them to publish names and photographs WITHOUT consent.
We consider this a high risk strategy because the processing needs to be “Necessary” (see above).
We know of no inherent legal duty to publish team lists on web sites.
Factoring in the risks posed by publishing teams lists makes it difficult to see how publishing names for the whole world to see is necessary. For example: stalking and phishing or the increased risks posed to those who have escaped domestic abuse (8% of women suffer abuse at home)
Even if it could be evidenced as proportional; “Necessary” also demands that there be no other less intrusive way of achieving the same outcome. The ease with information such as “Team lists” can be issued direct to service users undermines the “no less intrusive method” argument.
In simple terms we consider opt in consent to be the only GDPR compliant route for publishing Teams lists on websites.
Ultimately, a legal ruling will be required before total clarity is establish but can your organisation afford to take the chance?
More interesting points of discussion in our one day courses on GDPR and PECR