Further Guidance on the Implementation of GDPR

CIRCULAR REF: 2018/018

CIRCULATED TO ALL MEMBERS, BROKERS AND DIRECTORS

As advised in our Circular 2018/009 issued on 27 February 2018, the General Data Protection Regulation (“GDPR”) provides for significant penalties in the event of a data breach. The purpose of this Circular is to provide Members, correspondents and others with further guidance on how to try and reduce the risk of a breach and advise you of some changes we will be making in how we handle personal data.

Data Minimisation and Security of Processing

People claims such as those involving crew or passenger illness and injury can present a challenge for those involved in ensuring the adequate protection of personal data.

The Club is a data controller for the purposes of the GDPR, and thus responsible for demonstrating compliance with the Regulation. As a result and in line with the key GDPR principles relating to the promotion of data minimisation and the implementation of appropriate security measures, the Club wishes to explore ways of:

• limiting the amount of personal information in circulation;
• making greater use of existing technology to transfer personal data more securely; and
• where possible, anonymising the data that is exchanged.

E-mail circulation lists continue to expand which means it can often be difficult to spot when someone who should not be included has inserted themselves into an email chain. In addition, attempted fraud by e-mail is increasing, with communications received from impersonators of those involved in the industry. These imposters are usually seeking financial gain, but responding to such a message could inadvertently lead to a data breach by a data controller.

In handling personal illness or injury claims it is often necessary to exchange special category personal data with Members, correspondents and service providers around the world on an urgent basis.

We would like to offer some “best practice” guidance for the treatment of personal data:

1. Respect – Treat everyone’s personal data with the same respect you would wish for your own.

2. Minimise the generation of personal data by email and on paper – The less personal data being created and circulated, the easier it is to protect. Only send information which is necessary for the handling of the claim.

3. Cyber security – Ensure computer systems are secure and make use of security measures such as password protection and secure servers when transferring attachments containing passports, medical reports, contracts of employment etc.

4. Anonymisation – Consider using different identifiers for individuals, like crewmember, broker, surveyor etc. instead of names and dates of birth. Other identifiers could be the vessel name, the nature of the incident, or the port of disembarkation, with a reference number. This applies not just to the subject heading and body of an e-mail but also, where possible, to any documents which support the claim. If there is no alternative to using a name, we would recommend that it is cited with as few other identifiers as possible in order to reduce the risk of the claimant’s identity and personal details being disclosed to individuals or organisations not involved in the claims process.

5. Start afresh – If you cannot avoid identifying an individual, do so once and then start a new email so that the same personal data is not repeated in the email chain.

6. Reply all – Before using “reply all”, check that it is appropriate that everyone in the circulation list should actually receive the e-mail you are about to send.

7. Use Official email addresses – Do not use unofficial, private, or any other non-secure email accounts.

8. Clear and lock – Keep your desk clear and your computer screen locked when you are away from your desk. Dispose of hard copy data in a secure manner.

9. Familiarise yourself with GDPR – How it applies to your business and the penalties for non-compliance.

10. Communicate these guidelines to everyone in your organisation.

The Club recognises that Members, brokers and external service providers such as Club correspondents, surveyors, and experts will generally be data controllers. Implementing the above measures could help minimise the risks arising from processing personal data.

Extra-territorial Reach of the GDPR

As previously highlighted, GDPR applies to shipowners and/or their managers who have establishments within the EU/EEA where they are processing personal data on EU/EEA individuals who are within the EU/EEA. For example, where a shipowner has its management within Greece and provides Greek senior officers to its ships, the personal data of those individuals will fall within the scope of GDPR. 

GDPR can have extra-territorial reach is if there is transfer of data from EU/EEA to outside EU/EEA, such as the recruitment of crewmembers where:

• the shipowner/manager is located in the EU/EEA but engages crewmembers from outside the EU/EEA 
• the shipowner/manager is located outside the EU/EEA but engages crewmembers from the EU/EEA

For some Members, local manning agents are used for the recruitment of crewmembers outside of the EU/EEA for example, from the Philippines, India and the Ukraine. Where the crew are engaged by an owner/manager with an establishment in the EU/EEA, the processing of their personal data will fall within the scope of GDPR, despite the crewmembers themselves not being EU/EEA nationals.

In addition where a shipowner/manager is located outside the EU/EEA but engages crewmembers from EU/EEA countries, as they will be processing personal data on EU/EEA individuals, that processing will also fall within the scope of GDPR.

Shipowners’ Privacy Responsibilities

In respect of crew illness and injury claims, the Club can often be the shipowners’ employers’ liability insurer and in such cases it may be necessary for the shipowner / manager to provide the crewmembers with notice that their personal data may be shared with its insurers and other third parties.

It is possible that member’s crew contracts and collective bargaining agreements (CBAs) do not contain data protection clauses/notices. In addition to any wider privacy notice (also known as an information notice or fair processing notice) that may have been produced, we suggest that Members check, and if not already covered, consider including in their notice the following provisions for dealing with injury and illness claims:

• What information is being processed?

Personal and special category data regarding the crewmember’s identity, financial information, health, and details of illnesses and injuries.

• Why is it being processed?

To assist with medical treatment and insurance claims.

• The legal basis for processing

To protect the vital interests of the individual, perform the employment contract, to respond to or defend any claim and/or to comply with any legal or statutory obligations for example, to provide insurance.

• Who it may be transferred to? 

Insurance companies, insurance brokers, health facilities and entities, either in or outside the EU / EEA, involved in the management of a claim and/or the treatment, travel and repatriation of a crewmember.

• How long will it be kept for? 

Consideration should be given to the length of employment, limitation periods and other relevant factors.

For other steps which the Club recommends Members should take, please refer to the “Further impact on Members” section in our previous circular.

This circular should not be construed as providing legal advice. Members should seek independent advice when making changes in working routines with a view to ensuring compliance with the GDPR and any other local regulations.

All clubs in the International Group have issued similar circulars.

LEE WILLIAMSON
DIRECTOR (RISK AND COMPLIANCE)
The North of England P&I Association Limited