Question:

I would like to ask other group members, their opinion on FM companies who request personal data / competencies on engineers who may attend their locations.   In my opinion this data remains protected, competencies show full name, NI, address etc, in short GDPR protected in addition to being business sensitive.

As a responsible business we pay a large premium to be externally audited by SSIP, plus affiliation to the regulation boards such as gas safe, it is understandable that engineers have to prove their ID when on site, but in terms of providing FM companies with a training matrix and personal competencies, does anyone else submit this?  Is there a process or request that can be supplied to request the security process of the data requestor?

I maybe overprotective, however a few years ago a number of our engineers where approached directly after such a data submission.

Replies:

1. I’m in agreement on that one. I’d like to ban LinkedIn also, apart from a useful business tool at times, it’s a seedy platform at times in terms of poaching staff and more.
2. This type of request is commonplace for ourselves, but I do understand the concern this member has
3. Fortunately, none of our engineers have been approached on the back of this breach but would be interested in what the outcome may be?
4. My background is FM and usually customers will request confirmation of competencies including gas cards if FM providers are subcontracting work and also all contractors have a duty of care under CDM 2015 to ensure that all subcontractors have the correct skills knowledge and experience to carry out the works. This is usually the reason for the request.
5. I suppose a fair question back to our ceda colleague would be are you happy for someone to work on your premises or on behalf of you at one of your client’s premises without seeing evidence that they’re qualified to do so? The FM world is the embodiment of box ticking.
6. I’ve never experienced engineers being approached in this manner so I can only really comment on the cause of the concerns however in my experience I’d say that this is perfectly normal especially if it’s the first time of working on this client’s sites.
7. For peace of mind, you could always ask the FM company for a copy of their GDPR policy.
8. We refuse to supply for precisely that reason. They have their gas safe and their ceda cards for ID purposes and we supply DBS but no other information unless it is an MOD or prison site.
9. I always refuse to give engineers details for the very same reason.  I would just send a training matrix with just Name and qualifications held.