Data protection issues permeate every organisation and all levels of society, as you may already be aware, anyone who collects ‘personal data’ is a ‘data controller’ for the purposes of the Data Protection Act 1998 (‘DPA’).
Under the DPA, the data controller (in this case, you or your business) is required to comply with the data protection principles (Schedule 1, DPA) as you will otherwise be guilty of unlawful processing under the DPA. We will not reiterate all the specific obligations under the DPA, but if you are to take something away from this article this is it:
If you have recorded an individual’s personal data, you or your business must fulfil the following statutory obligations:
a) provide the individual whose personal data it is with a copy of the data; and
b) you must not knowingly or recklessly disclose this personal data or information contained in the personal data without that individual’s consent. This includes disclosure to another person.
The DPA obligations are highly relevant for the recruitment industry. The various business models within this sector will inevitably collect and record information on their clients and candidates that is likely to be personal data for the purposes of the DPA. From the very first interaction with a candidate, any recruitment consultant would most likely obtain and record details of the candidate’s skill set, work experience, likes and dislikes and what type of role they are looking for. This information is not only recorded on an internal database (which can be anything from a biro and a spiral pad to state of the art recruitment software) but also subsequently used to match the candidates with suitable vacancies, all in accordance with the Conduct Regulations of course. Similarly, on the client side, you would also record any information that you can get out of the hirer regarding the vacancy that you are instructed to fill. The aforementioned are perhaps obvious examples, but it cannot be stressed enough, that if you are processing personal information that is (or is likely to be) personal data for the purposes of the DPA, you are required by law to be registered with the Information Commissioners Office (‘ICO’).
So why are we highlighting this? Firstly, DPA compliance is not an afterthought. It is a major component of minimising risk and ensuring legal compliance. Secondly, unlawful processing (see above) can be a criminal offence under section 55 of the DPA. More importantly for the recruitment industry, failure to register with ICO when required to do so (which the majority of you will be) is a criminal offence and subject to prosecution accompanied by a fine.
If this all sounds a little frightening, the best way forward is probably to rather be safe than sorry. As it happens, the ICO has recently launched a campaign to clamp down on employment agencies who are not registered under the DPA and is actively seeking to expose companies who have failed to register and will be listing all names of those prosecuted on the ICO website.
A rule would not be a rule without exceptions – would it not? The ICO has made concessions for companies that only process information for what is referred to as ‘core business purposes’. That is, their own staff administration, accounts and records, advertising, marketing and public relations, in connection with their own business activities. To rely on these exemptions, the organisation must ensure that the processing of personal information is strictly within the conditions attached to each exemption and that the organisation does not operate CCTV. It is highly unlikely that a recruitment agency would fall into an exempt category because of the very nature of their business model.
If you think that you may be at risk of DPA compliance we recommend our comprehensive Data Protection Audit. This on-site audit reviews the DPA compliance requirements that are relevant to the recruitment industry, such as ICO registration, policies and process, recording candidate and client information, passing information to third parties and handling subject access requests. Common pitfalls include inadequate information security protection and recording inappropriate subjective comments about candidates and/or clients. Our audit therefore addresses both what to do to keep within the law and the practical steps you are (or should) be taking.
If you have a burning question about this topic or any other HR or employment law matters please send an email to [email protected] or telephone me on 01273 236236. For those of you that are ARC members don’t forget that you can get in touch via the ARC helpline.
Adrian, a highly experienced lawyer, founded Lawspeed in 1997. He is responsible for developing our extensive portfolio of products and services, including the widely used Lawspeed contract templates. Adrian is an expert on “recruitment law” and specialises in contracts, regulatory compliance, employment status and dispute handling. He is chair of the trade body the Association of Recruitment Consultancies, the only lawyer lead recruitment trade body in the UK. Adrian and his co-director Ravi devised Standards in Recruitment as a vehicle for helping drive up standards and compliance in the industry.
Adrian is our lead in discussions with the government over regulatory evolution. Apart from assisting with client support, Adrian’s primary role is research and development into methods of business delivery, our latest service Proterms being his most recent project. Adrian heads our IR35 lawyers team.