With the latest news regarding British Airways the message from data protection regulators is clear:
Information Commissioner Elizabeth Denham said: ‘People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
‘That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights’.
The recruitment process necessitates the handling of personal data and it is routine for this to be of a sensitive nature. This could be capturing details of a candidate’s passport/ID documentation, or proof of address details.
GDPR does make provision for recruitment ‘processing that is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment’. However, the issue remains for organisations to ensure that the data captured from candidates within the recruitment process is managed properly i.e. stored securely and only retained for a necessary duration. In the case of Right to Work checks this is for 2 years after an individual has left the business.
If you are a business that has multiple sites (for example retail, construction or hospitality) are you sure you have a robust process in place for the processing and handling of this data? If you do have concerns please make contact, we can provide guidance and help you mitigate against the risk of a damaging recruitment data breach.