Recruitment and the Data Protection Act
The Data Protection Act 1998 (DPA) sets out how personal data must be handled and has eight key principles – click here to read the full list of principles
It is the Data Controller who is responsible for ensuring that these principles are complied with. The Data Controller is defined as, “a person or organisation that makes decisions in regard to personal data, including decisions regarding the purposes for which and the manner in which personal data may be processed.” As a business using client data, this refers to you. Please note that even if the data of your customers is being handled by a third party, you remain responsible for it and a breach of any of these principles can result in a fine of up to £500,000, even though the fault may have been caused by your IT provider or another organisation providing outsourced services.
Two key principles from the Act that we would like to draw attention to are 7 & 8:
Principle 7 makes you responsible for appropriate technical and organisational procedures to be in place to prevent a loss – as such you should always access, transfer and store data in accordance with the organisation’s IT security policies, and if in any doubt, seek advice from the Information Security team
Principle 8 regulates that personal data can only be transferred to countries within the European Economic Area (EEA), or to a country that has been deemed as “safe” by the EU Commission, unless additional measures to protect the data are put in place. Therefore it is your responsibility to ensure that personal data is not being transferred outside the EEA, without advice and guidance from Arthur J. Gallagher’s Data Protection Officer (Andy Searle).
Candidate and client data is key to our business, and the Data Protection Act governs both. The Act is there to strike a balance between your requirement for information and a candidate’s right to privacy, so it is vital to keep that data safe. Here are 10 Top Tips from the Information Commissioner’s Office to help keep you compliant:
- Make candidates aware what information you are collecting and how you will use it. Covert information gathering is hard to justify but firms are increasingly searching social media to check candidate ethics.
- Use the data you collate for the job only; if you intend any other application, you must make this clear.
- Make sure all your people know that data protection rules apply and that they must act accordingly.
- Do not collect more personal data than you need: irrelevant or excessive collection will constitute a breach.
- Do not collect information from all candidates that you only need from the person who secures the job.
- Keep all the personal data secure and remember, you can only disclose it to a third party as set out in the privacy notice and where there is a legitimate business reason, with consent, or where it is required by law or regulation.
- Only ask for information about criminal convictions if justified by the job opening. Spent convictions are off-limits unless the position comes under the Exceptions Order to the Rehabilitation of Offenders Act 1974.
- When verifying personal information, advise the candidate how it will be done and what will be checked.
- When verifying criminal convictions, use the Disclosure and Barring Service (formerly the Criminal Records Bureau) only if you are entitled to do so and follow procedures to the letter.
- Only keep candidate information you obtain for as long as a good business case exists.
To find out more about our modular recruitment insurance solution and request a call back, please visit our website recruitment-insurance.ajginternational.com