From 25 May 2018 the General Data Protection Regulation will impose greater data protection obligations on organisations whilst giving more rights to individuals in relation to how their personal data is processed.
What is personal data?
Personal data is data that can identify you as a living individual. There is general personal data such as name, address, National Insurance number and online identifiers/location data. There is also sensitive personal data which includes information on physical and mental health, sexual orientation, race or ethnic origin, religious beliefs, trade union membership and criminal records. Sensitive personal data must be protected to a higher level.
How does a recruitment business get your personal data?
You may have applied directly to an agency or they may have found your details from a jobs board or social networking site. They can process your data if they have a legal basis for doing so. There are 6 legal bases for processing data but an agency is likely to rely on (1) your consent, (2) that the processing is necessary for the performance of a contract with you or (3) that they have a legitimate interest in processing your personal data. Different conditions apply to each of these legal bases.
What are your data protection rights?
Right to informed consent – for your consent to be valid you must know what you are consenting to. To give valid consent you must give a positive indication of your consent, such as by ticking a box – an agency cannot accept your silence as consent or use a pre-ticked box. However consent is not the only legal basis that they can use to process your data. If the agency does not need consent to process your data they should not ask for it.
Right to withdraw consent – if you have given consent you will have the right to withdraw your consent. The agency will have to stop processing the data that you gave them but they can continue to process other data if they rely on another legal reason for doing so.
Right to object – you have the right to object to your data being processed. The organisation can then only process your data if it has a compelling legal ground to do so.
Rights in relation to automated decision making – you have a right not to be subject to a decision based on automated processing unless you have given your explicit consent. However, the agency will not need your consent if their process is not fully automated.
Right to make a Subject Access Request (SAR) – if you make a SAR then the agency should respond to you within one month, this can be extended to a further 2 months in certain circumstances. The agency should not charge you to respond to your SAR unless for example you have made repeated requests for the same information. The agency could refuse to comply with your request for the same reasons.
Right to data portability – where technically possible, you have a right to have your personal data transferred directly from one organisation to another. However, this does not include having your data passed to another organisation without your knowledge.
Right of rectification of inaccurate or incomplete data – you have the right to request that the agency corrects any incomplete or inaccurate data they hold on you. The agency should respond to your request within one month.
Right to erasure – this is also known as the right to be forgotten. You can request that the organisation remove all your personal data. However, this is not an absolute right – the organisation can keep your personal data if they have a legal reason for doing so. If you ask for your data to be erased the agency may ask whether you just do not want to hear from them for a period of time or whether you want your data to be permanently deleted?
As organisations cannot keep lists of people whose data they have deleted, the agency may still contact you if later on they find your details on a jobs board or a social networking site. If you have requested for your data to be forgotten the agency should tell any third parties that they have passed your data to that you have filed a request to erase. They must also to the same. Agencies are required to keep certain records such as ID or right to work checks and payroll records for certain periods of time. These obligations will override any request to erase data or any objection to processing for so long as they must keep the data.
Direct marketing – an organisation must have your express consent to send you direct marketing.
Personal data breaches – if the agency suffers a data breach eg a loss of theft or personal data, they must inform the ICO. If there is a high risk to you, they must also tell you. Further information about data protection can be found on the https://ico.org.uk website.