Know your data protection rights
From 25 May 2018 the General Data Protection
Regulation will impose greater data protection
obligations on organisations whilst giving more rights
to individuals in relation to how their personal data is
General Data Protection Regulation
Personal data is data that can identify you as a
living individual. There is general personal data
such as name, address, National Insurance number
and online identifiers/location data. There is also
sensitive personal data which includes information
on physical and mental health, sexual orientation,
race or ethnic origin, religious beliefs, trade union
membership and criminal records. Sensitive
personal data must be protected to a higher level.
You may have applied directly to an agency or they
may have found your details from a jobs board or
social networking site. They can process your data
if they have a legal basis for doing so. There are
6 legal bases for processing data but an agency
is likely to rely on (1) your consent, (2) that the
processing is necessary for the performance of a
contract with you or (3) that they have a legitimate
interest in processing your personal data. Different
conditions apply to each of these legal bases.
What should an agency tell you
about personal data?
The agency should give you a privacy notice when they collect
your personal data. This privacy notice should state:
• their contact details;
• why they are processing your data and what is their legal
reason for doing so;
• if they are relying on legitimate interests, what those
legitimate interests are;
• how long they will store your personal data for;
• that you have a right to request that they correct any
incomplete or inaccurate data about you;
• that you have the right to request that they erase your
• that you have a right to complain to the Information
Commissioner’s Office (ICO);
• that if you have given consent, you can also withdraw that
• whether they will use automated decision-making or
profiling to assess your suitability for roles.
What is personal data?
How does a recruitment business get
your personal data?
Right to informed consent – for your consent to be valid
you must know what you are consenting to. To give valid
consent you must give a positive indication of your consent,
such as by ticking a box – an agency cannot accept your
silence as consent or use a pre-ticked box. However consent
is not the only legal basis that they can use to process your
data. If the agency does not need consent to process your
data they should not ask for it.
Right to withdraw consent – if you have given consent you
will have the right to withdraw your consent. The agency will
have to stop processing the data that you gave them but they
can continue to process other data if they rely on another
legal reason for doing so.
Right to object – you have the right to object to your data
being processed. The organisation can then only process your
data if it has a compelling legal ground to do so.
Rights in relation to automated decision making – you have
a right not to be subject to a decision based on automated
processing unless you have given your explicit consent.
However, the agency will not need your consent if their
process is not fully automated.
Right to make a Subject Access Request (SAR) – if you make
a SAR then the agency should respond to you within one
month, this can be extended to a further 2 months in certain
circumstances. The agency should not charge you to respond
to your SAR unless for example you have made repeated
requests for the same information. The agency could refuse
to comply with your request for the same reasons.
Right to data portability – where technically possible, you
have a right to have your personal data transferred directly
from one organisation to another. However, this does not
include having your data passed to another organisation
without your knowledge.
Right of rectification of inaccurate or incomplete data –
you have the right to request that the agency corrects any
incomplete or inaccurate data they hold on you. The agency
should respond to your request within one month.
Right to erasure – this is also known as the right to be
forgotten. You can request that the organisation remove
all your personal data. However, this is not an absolute
right – the organisation can keep your personal data if they
have a legal reason for doing so. If you ask for your data
to be erased the agency may ask whether you just do not
want to hear from them for a period of time or whether you
want your data to be permanently deleted? As organisations
cannot keep lists of people whose data they have deleted,
the agency may still contact you if later on they find your
details on a jobs board or a social networking site. If you
have requested for your data to be forgotten the agency
should tell any third parties that they have passed your data
to that you have filed a request to erase. They must also to
the same. Agencies are required to keep certain records
such as ID or right to work checks and payroll records for
certain periods of time. These obligations will override
any request to erase data or any objection to processing
for so long as they must keep the data.
Direct marketing – an organisation must have your express
consent to send you direct marketing so if an agency wants
to tell you about services other than work-finding services
they must have your permission to send this to you.
Personal data breaches – if the agency suffers a data breach
eg a loss of theft or personal data, they must inform the ICO.
If there is a high risk to you, they must also tell you.
Further information about data protection can be found
on the https://ico.org.uk.
The information contained in this document is provided as general background information and should not be taken as legal advice.