You’ll no doubt know that The Data Protection Act requires every organisation that processes personal information to register with the Information Commissioners Office (ICO). Recruitment Companies can not fail to process personal information when dealing with candidates, contractors and interims.
You’ll also no doubt know what the 8 Principles of the Data Protection Act 1998 are and how to achieve basic compliance. But do you know what happens if you breach those principles, what sanctions the ICO can impose and why?
Hopefully you will also know if you are a Data Controller or a Data Processor, but do you know what responsibilities those roles involve? And if you’re not quite sure, do your Consultants know what their roles and responsibilities are?
And have you heard of the General Data Protection Regulation? You probably have, but do you understand what sort of impact it will have on your recruitment company?
Just in case you’re not wholly on top of your Data Protection know-how, Cognitive Law has put together this short guide to protect you from any gaps in your knowledge.
By way of a quick update, the 8 Principles of the Data Protection Act outline the requirements of that particular piece of legislation. Just in case you can’t list them off the top of your head, those Principles state that Personal data must be:
- Processed fairly and lawfully
- Processed only for one or more specified and lawful purpose
- Adequate, relevant and not excessive for those purposes
- Accurate and kept up to date.
- Kept for no longer than is necessary for the purposes it is being processed
- Processed in line with the rights of individuals
- Secured against accidental loss, destruction or damage and against unauthorised or unlawful processing
- Not transferred to countries outside of the EEA without adequate protection
So far, so good. All the personal data that you have been given by your candidates must be dealt with in accordance with these principles. You know what you’re supposed to do, you’ve got your Data Protection Policy in place, and you know what you need to do in order not to actively breach one of those Principles. But are you protected against actions beyond your control which may cause you to breach one of those Principles?
The ICO is the UK’s independent body set up to uphold information rights. It is their responsibility to police breaches of the Data Protection Act and take steps to prevent it happening again. That’s why your company is registered with the ICO – so they can monitor you for any breach. And it doesn’t matter what type of company, who the company is, whether it is big or small, breaches happen and here are just some of them which made news…….
Sony was fined £250,000 for failing to use up to date security software on their PlayStation Network, which allowed hackers to break into the online store and access a raft of personal information such as customers’ names, addresses, dates of birth and credit card information. Although this was a deemed to be a criminal attack, Sony breached the Data Protection Act because the security measures it had in place were not good enough.
The ICO issued Marks and Spencer with an enforcement notice ordering the company to ensure all laptop hard drives were fully encrypted by a certain date. This was after an employee’s laptop which contained the pension details of 26,000 employees was stolen from their home. If M&S had failed to comply with the Notice it would have been a criminal offence and could have resulted in further action being taken against the company.
The ICO fined a subsidiary of Thomas Cook PLC, Think W3 Limited, £150,000 after a hacker stole more than 1.1 million customers’ personal details including credit and debit card numbers, due to poor data security measures on its website.
And most recently it was reported in May 2015 that a Welsh Police force was fined £160,000 for losing video footage which formed part of the evidence in a case. The footage was said to be on unencrypted discs in a desk drawer, which were lost in an office move in October 2011. The breach went unreported for nearly two years. It was said that the Police had no specific force-wide policy in place to deal with the safe storage of victim and witness interviews. The fine was imposed because the Welsh Police Force had failed to take appropriate measures against unauthorised processing and accidental loss of personal data.
There are so many examples we could give you of accidental and unintentional breaches. The Ministry of Justice and the NHS are two more large organisations who are repeatedly reported to have breached the Data Protection Act in recent years. But these aren’t the usual “laptop left on a train” breaches – surely those companies have actually been the victims of cyber crime. So what is it they’re doing wrong?
The seventh principle states that “personal data must be secured against accidental loss, destruction or damage and against unauthorised or unlawful processing”. So not only must you ensure that your internal computer systems are secure, it is essential that before you allow personal information to leave your premises, whether it be on a laptop or simply just a mobile phone, there are adequate security procedures in place to protect that personal information. Such measures can actually be as simple as using a password and encryption, but as we can see above, they are not always put in place.
So how does this affect you? Well, if you are either an individual or company who (alone or jointly or in common with others) determines the purposes for, and the manner in, which any personal data is processed, you’re a Data Controller. We’ve established above that every Recruitment Company will be a Data Controller, which means that you are responsible for ensuring that the provisions of the Data Protection Act are complied with.
The Data Controller is also fully responsible for the actions of the Consultants who act as Data Processors, processing the data of candidates as they fill their roles. You can see from the examples above that breaching the Data Protection Act could accidentally happen to any recruitment company.
Recruitment doesn’t just happen in the office. Consultants take calls and pick up emails outside of working hours. When they do so they may be acting as Data Processors. And it’s your responsibility to make sure that the devices on which they’re doing so are secure.
With the General Data Protection Regulation (GDPR) coming into effect, bringing with it much stricter consequences for breaching the Data Protection Act, can you risk the financial and reputational damage that a breach could do to you and your company?
The GDPR is a Regulation that the European Commission plans to put in place to unify data protection within the European Union. Currently the EU Data Protection Directive does not consider aspects such as globalization and technological developments sufficiently, including social networks and cloud computing. The new Regulation is therefore needed to ensure that personal data is kept safe and treated consistently across all EU countries.
Frankly this is good news to any Recruiters making placements in the EU. The GDPR will help you refine the data protection indemnities that your clients ask of you and those which you seek in mirror form from your candidates. The flipside is that your own procedures will need to be pretty robust.
The proposed new EU Data Protection Regulation extends the scope of EU data protection law to all foreign companies processing the data of EU residents. By bringing together Data Protection legislation from throughout the EU, the idea is that it will make it easier for non European companies to comply. This does however come at a cost of strict data protection compliance regime with severe penalties of up to 2% of worldwide turnover. The precise wording of the GDPR and the financial penalties for non-compliance are yet to be finalised but it’s unlikely you’ll want to be subject to them.
On Monday 15 June 2015 the EU’s Justice and Home Affairs Council agreed its ‘general approach’ to the GDPR. Now that the European Commission, Parliament and Council have their versions of the general approach in text form, the trilogue can begin. The first trilogue took place on 24 June 2015. The EU’s European Council aims for adoption in 2015/2016 and the Regulation is planned to take effect after a transition period of two years. After that period the EU Regulation will have immediate effect on all 28 EU Members States, because it does not require any enabling legislation to be passed by governments.
What will change?
Whilst details of GDPR remain to be agreed within the EU trialogue procedures, the main changes are believed to be:
- New Data Protection Officer (DPO) role. The DPO will be similar to but not the same as a Compliance Office. They will be expected to manage IT processes, data security (including cyber attacks) and other critical business continuity issues surrounding holding and processing personal and sensitive data. The DPO will be under a legal obligation to notify the Supervisory Authority as soon as they become aware of a security breach.
- New responsibilities for Data Controllers and Data Processors to keep internal records
- New Data Subject rights
- Higher fines. Fines of up to 2% of the company’s annual worldwide turnover, or €1,000,000, whichever is greater
- Tighter restrictions on data transfer outside the EEA
It is understood that the GDPR will bring with it New Responsibilities such as
- Detailed internal documentation to replace notification
- Privacy “by design and default”
- Privacy impact assessment
- Possible Independent audit
- Possible appointment of a Data Protection Officer
- Responsibilities for data processors/contractors
- Mandatory breach reporting
It is also understood that the GDPR will bring with it New Rights such as:
- Right to erasure or ‘Right to be forgotten’ – In theory, an individual will be able to demand that organisations erase records of their personal information, where there is “no legitimate reason” for the data to be retained.
- Right to data portability – An individual will be able to request a copy of any of their personal data being processed in a format they can use and transmit electronically to another processing system
- Right to complain to a local data protection authority, even where the breach takes places elsewhere in Europe
- Right to restriction of processing
- Strong rights to object to the processing of one’s data
- Right to be informed about data breaches – Individuals will also have to be notified if an adverse impact is determined.
You probably think this is all a long way off, however we all know how quickly new regimes creep up on us. You can do no better than to start to prepare for the changes at your earliest opportunity. On the whole it will be a strengthening exercise, shoring up the Data Protection Policy you have in place already. However if you are unsure of your current position, now is the time to make sure it’s compliant.
You should review your existing policies, privacy notices and procedures. The proposed new Regulation contains onerous commitments as to the documentation to be maintained and implemented by Data Controllers and Data Processors. This documentation will have to be made available to your supervisory authority on request. These commitments could be softened and regulators may be more interested in substance over form, but if a company cannot produce clear policies it will find it difficult to prove that it has established appropriate standards and policies throughout its business.
Now is the time to identify those of your Consultants who are Data Processors and check that you have the right controls in place. Consultants will need to take on board the fact that they will have direct statutory obligations such as maintaining the appropriate documentation, and you will need to know that they’re up to the job. Training is a must with such onerous fines imposed for any breaches. Now is the time to identify your data assets, embrace data minimisation and future-proof your supplier and client contracts.
If Cognitive Law can be of any assistance, please do not hesitate to get in touch with Lucy Tarrant on 0333 400 4499 or lucy.tarrant@cognitivelaw.co.uk.