At the heart of the dispute that has been going on recently lies a principle pertinent to data protection and, of course the GDPR.
Based on press reports it seems a researcher gained permission from Facebook to harvest personal data (i.e. information) for a research project. That appears to have been regarded as legitimate. I suggest it was legitimate because there was no intention to use the data to make decisions that would directly affect the individuals whose data was being used.
Contention has then arisen because it is alleged that the data was subsequently used via Cambridge Analytica, to influence voters in the US election and the UK referendum. For example: if a Facebook user was a fan of, say, Arnold Schwarzenegger (a republican) but ambivalent on the election, then that information (about the political allegiance of Schwarzenegger) could be used to influence that person to vote for Trump. Such action affects the individual who is the subject of personal data. In particular, I suggest, that the data would not be being used for the purpose for which it was originally obtained.
There is a range of legitimate reasons for holding personal data on the people whom you employ. The lessons are:
1. Make sure you have a legitimate reason for holding the information. That is critical if as a result of holding that information you may take some action in relation to the employee.
2. Having obtained the information for a legitimate reason do not use it for a reason that requires the employee’s consent.
For example, you may hold the employee’s personal email address for the purposes of making contact in relation to employment matters. But if, without the employees’ consent, you supply that information to the local Gym so they can lobby your employees to join, then you breach data protection.
Malcolm Martin FCIPD
Author Human Resource Practice.