Do/Don't Left
Staff is currently employed by the resort and is requesting information about themself...
Do. You are free to process information for a presently employed, thus verifiable, member of staff
A guest is requesting a staff member's name
Do! This information is expressly made public by virtue of the nametag each staff member wears
When hosting ceremonies that include children, It's ok to move forward as their parents work here and provide their consent...
Don't! You are free to plan the event and invite the participation of the children, the parent must provide consent via the form on the Privacy Portal
When recruiting staff, their information should be kept on file forever...
Don't! Potential employees, if not selected for employment, should be advised that their personal details will be disposed of after a set period of time e.g. 6 months
An ex-employee is exercising their right to access their personal data
It is ok to have potential employees bring all their Documents and Certs to the Job Fair...
All employees should receive a copy of the Employee Privacy Policy and sign it...
Do! An employee should read and sign the policy to acknowledge their understanding of their rights. If the staff is impaired, it should be read and explained to them.
Include a clause for a potential staff member to provide consent for us to conduct a background check....
Do! The law required that we receive consent from the data subject to conduct this activity.
It is ok to discuss current department/employee struggles vaguely because no one will know...
Don't! This will diminish trust in the department, and that is a crucial attribute of your function.
A presently employed staff member requests that the HR Office disclose their personal information to a 3rd party
Do! The employee is presently employed and thus verifiable, and can exercise the right to share their data with a 3rd party. Fee imposed if not electronic.
When interacting with the police or any form of law enforcement, we should comply immediately...
Don't! Urgency is required, yes, but this request should be routed via the Privacy Office. The law requires certain conditions to be met by law enforcement as well. We can be sued by a DS.
A current employee sees you external to the work environment and asks you about their own personal data, you can disclose it...
Don't! Err on the side of caution and document each request. Disclosures by word of mouth are not defensible. Ensure the DS that you are protecting their privacy and will disclose via an approved method
A staff member is requesting a copy of the video footage of an incident that concerns them
Don't! Video footage requests are routed via the Privacy Office before disclosure as other DS may be affected.
Can I confidentially report a staff member compromising the privacy of my office?
Do! The Sensitivity of your function is not lenient to being indiscrete. Nip it in the bud early. Call yourself out and fix it before trust falls
You are not sure how to deal with a request, whether internal or external. It's ok to include the privacy office to provide guidance...
Do! That's the reason for our very existence. Contact the DPA directly or bring it to the attention of the DPA & DPO at privacy@couples.com