The growing use of information technology and the boom in online recruitment has expanded opportunities for data processing and sharing but raises dilemmas about data protection and respect for individual information rights.

In a recent Information Commissioner’s Office (“ICO”) survey of employers a quarter of businesses were unsure of their responsibilities under the DPA. These range from registration with the ICO as a data controller through to the procedures and standards adopted for processing personal information. 

The correct handling of personal data is particularly challenging for the Recruitment Sector. One of the first organisations charged with a serious breach of the DPA was an employment agency. The ICO found it had not taken appropriate security measures, revealed after the theft of a laptop used by an employee working at home, and imposed a fine of £60k. More recently in 2011, Hays, who are one of the largest recruitment sector businesses suffered a data security breach after an employee inadvertently forwarded sensitive personal information of 3000 Royal Bank of Scotland (“RBS”) temporary workers to 800 employees of RBS.

Furthermore, directors or managers may be held criminally liable if an offence is committed, whether because of their consent, connivance or neglect. The maximum fine available has been raised to £500,000 for the most serious breaches. Notwithstanding these sanctions, organisations risk serious commercial and reputational harm by public exposure of their data protection failures.

Serious consideration to date protection must therefore be taken.

What is ‘personal data’ and ‘data processing’?

The DPA defines personal data as: ‘any information which alone or with other data would allow an individual to be identified (such as names, email address, post codes and national insurance numbers). This includes current and former members of staff (and job applicants). Data processing covers ways of obtaining, recording and holding data (whether electronic or in paper form). 

Key principles of data protection

The ICO has identified eight enforceable principles of good practice:

• Personal data must be processed ‘fairly and lawfully’, with stricter conditions applied to ‘sensitive personal data’ – such as ethnicity, political opinions, religious beliefs, health status, and criminal offences.  
• Processing can only be for specified and limited purposes.
• Personal data held must be ‘adequate, relevant and not excessive’ (for its intended purpose).
• Reasonable steps must be taken to ensure personal data are accurate and up-to-date.
• Data should not be kept for longer than is necessary.
• Data subjects have specific rights to know what personal information is held, why it has been collected, and to whom it may be disclosed. The subject can object to data likely to cause ‘damage or distress’, prevent its use for automatic decision making and direct marketing, and request corrections to inaccurate data. 
• Personal data must be held securely against unlawful or unauthorised processing and accidental loss or damage.  Data security requires robust procedures, sufficient physical and technical resources, and restrictions on physical access – whether buildings, equipment and data files.
• Personal data should not be transferred to other countries outside the European Economic Area unless that country ensures adequate and appropriate data protection. Discussions are continuing on the EU Data Protection Directive which addresses cross-EU comparability issues.

In special circumstances, exceptions may be allowed to the above principles.

Keep onside the DPA

A specific ICO concern has been the lack of adequate security measures against theft/loss, and failure to set up preventative measures against improper access to computer data. The ICO has described such breaches as ‘inexcusable’ and ‘putting people’s personal information at risk unnecessarily.’

The use of data obtained from social network sites (such as Facebook and Linkedln) is another major concern.  Commissioned research has shown that two fifths of employers have rejected job applicants based on information found online. If an unsuccessful candidate alleges discrimination, the onus falls on the employer to prove the legitimacy of the data taken, for example, from a Facebook profile. 

Increased action by the ICO

The ICO reported a 50% increase in the number of data security breaches in the first nine months of 2011 compared with the same period last year. 

The ICO is increasingly taking action and exercising its strengthened powers of enforcement and requiring organisations to change their data processing systems. Businesses and the Recruitment Sector in particular, should therefore give careful consideration to their current internal procedures dealing with data protection or run the risk of heavy fines and reputational harm.

Case study

Debenhams Ottaway recently acted for an individual who had been wrongly sued by a finance company as a result of incorrect data. That incorrect data had meant that he had to pay increased interest rates on finance. The case was settled on confidential terms which involved the finance company paying a significant sum in costs and discontinuing its own claim. The case serves as a reminder of the financial consequences which may result should you get your data protection policy and procedures wrong.

If you would like to discuss any of the points raised here, please contact Neil Mercer on 01727 735665 or nmx@dolegal.co.uk.