Some of our previous postings have talked about unscrupulous rivals using personal data – ie CVs and candidate details – in a less than professional way, but some of the tricks being pulled in those circumstances are not only unprofessional but possibly unlawful too? Don’t under estimate the importance of compliance with the Data Protection Act 1998. After all you are in a people business and personal data is your life blood. Do you know what you can and can’t do with the data you have – and just as importantly, what potential penalties you might receive if you fail to comply?
In April last year the Information Commissioner (“ICO”) was given new powers to fine organisations up to £500,000 for serious breaches of the DPA 1998. In fact in November 2010 the ICO fined employment services company A4e £60,000 for the loss of an unencrypted lap top which contained personal data relating to 24,000 people.
Under the DPA you have to comply with the 8 DPA Principles when you process personal information. You must ensure that it is:-
• fairly and lawfully processed;
• processed for limited purposes;
• accurate, relevant and not excessive;
• accurate and up to date;
• not kept longer than is necessary;
• processed in line with the data subject’s rights;
• kept secure; and
• not transferred to other countries without adequate protection.
The DPA gives candidates important rights in relation to correcting their information and to compensation for breaches of the DPA.
In terms of how this translates into practical compliance steps; as a minimum you should have a data protection policy and train your staff on compliance issues. Your terms and conditions and website should have a privacy policy whereby you get consent from candidates to process their personal data. It goes without saying that you should have a secure server and that data should be password protected. Encrypting lap tops is also required by the ICO.
Crucially, also you should only pass on candidate data to potential employers with the candidate’s agreement as failure to do that may mean that firstly, you do not get paid and secondly that they object that you have passed on their details without consent.
If that happens without consent a candidate may complain to the ICO about the misuse of data, and in turn the ICO has powers to investigate and impose a fine. Remember that the process is a public one and therefore perhaps the potential adverse publicity is by far the biggest concern for agencies who need to show integrity and confidentiality in their dealings.
Obviously if you want to use candidate or client data for anything other than recruitment purposes, e.g. marketing, you must tell your contacts. That could include a list of clients you work for on your website, or photos of events you might have sponsored, or high profile head hunting that has been successful.
Finally, because of the sensitivity of the business that you are involved in you should only release personal data once you are certain of the ID of the person requesting it, e.g. if a candidate phones up and wants to talk to you just check that you are actually talking to the candidate himself.
The message is clear - make sure you know what you can and can't do with data you hold - its essential that you have a data protection policy and that your employees know what that is and how it works - and you should display the policy on your website and have it incorporated into your employee handbook or employment terms. Take advice about this issue, draft the policy properly and if you are the unfortunate recipiant of a Commissioner request, act quickly!
For more information on this subject, please contact dispute resolution specialist Heather Stanford or join the debate on in our eForum on Linkedin
Subscribe to the Nelsons Law RSS service and get all the news as it is added. Simply copy the address from the box below into your RSS reader software: