Many HR departments are unprepared for the effect on recruitment activities of new EU privacy regulations that come into force later this year, warns David Gurney
Software Source, 14 Oct 2003
New rules governing the use by businesses of information on individual workers and customers - the Privacy and Electronic Communications (EC Directive) Regulations 2003 - are due to come into force on 11 December. The regulations have been framed with the direct marketing industry in mind, but the implications for HR professionals, particularly in their role as recruiters, are immense. Yet many remain unaware of the new requirements.
More worrying still, compliance with existing legislation – particularly the Data Protection Act 1998 – remains patchy.
Existing legislation: Data Protection Act 1998
• Protects personal privacy and upholds individuals’ rights.
• Applies to anyone who handles, or has access to, information about individuals.
• Organisations that record and use personal information must be open about how it will be used.
• Personal information should not be kept for longer than is necessary to satisfy the purpose(s) for which it was originally collected.
Five years after the act was passed, many employers are still not managing personal data in line with its requirements. The act defines individuals who manage personal data on individuals as "data controllers".
Within HR departments the handling of CVs is a key area covered by the act. Jean Davidson of DPA Solutions, a consultancy that advises on data-protection issues, recommends that employers:
• make clear to individuals, when their CV information is first collected, how it will be processed and used;
• explain the "terms and conditions" governing how and when third parties can access to CV information. For example, recruiters that have paid for access may keep a copy of a CV in their own files or databases and may not be aware that a position has been filled;
• delete any CVs upon request from job-seekers;
• contact job-seekers on a regular basis to confirm that they are still looking for work, and that their personal information is still accurate.
New rules: Privacy and Electronic Communications (EC directive) Regulations 2003
These are due to come into effect on 11 December. They reinforce many of the principles established by the Data Protection Act 1998.
• Personal information can no longer be used for direct marketing unless the individual involved has given their explicit consent. This could include sharing CV information between different areas of what is seen as the same company but are in fact different legal entities.
• Businesses must retain control of personal information and the consent that they have to use it.
• Data controllers must agree with the candidate the purpose for which personal data will be held.
• Companies must be able to show a valid reason for retaining personal data.
Caught in the middle
The switch to a more proscriptive legal regime will raise further challenges for recruiters.
Many organisations have collected thousands, or tens of thousands, of CVs from job-seekers. Now they must ensure that these historic databases comply with the new rules: it may be difficult. Many, regardless of size, will need to create two databases – one for applications received before the Privacy and Electronic Communications (EC directive) Regulations came into force, and one for those received subsequently.
CVs arriving after 11 December will need to be handled in accordance with the new rules. Yet managing this two-speed approach could require huge amounts of administrative effort. Handling duplicate CVs - and CV updates - across two databases will be a nightmare!
Yet companies that fail to manage this process effectively could lay themselves open to legal sanctions. Do not underestimate the importance of this: the potential impact on a company that ignores its obligations could be huge. The Information Commissioner, the watchdog in charge of enforcing data-protection rules, has plenty of enforcement tools.
Comply or face fines
Notwithstanding possible criminal sanctions, businesses that break the rules could face fines, as well as orders to rectify or even destroy any non-complying information. Furthermore, affected individuals now have the right to seek compensation for any damage or distress that a business’s non-compliance may cause. If your organisation emails someone who has not previously agreed to receive your emails, you could be sued and/or charged.
In summary, all organisations have a responsibility to treat personal information with respect. And that means complying with the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
David Gurney is managing director Develop & Deploy Strategy Limited (www.developdeploystrategy.co.uk). For more information on this subject or for advice on software solutions call 01280 701375.
Measured response By dramatically reducing the time and money spent on managing human capital, the latest HR software systems are freeing up more time for strategic thinking
