Case Study 3

References and salary details disclosed without permission

I received a complaint from an individual who had applied for a specialized medical post with a major hospital. He had forwarded his CV accompanied by a letter in which he stated that he withheld consent to the organisation contacting the referees listed on his CV until "mutual interest" had been established and he had time to appraise the referees of his intentions. He was subsequently contacted by the Human Resources section informing him that they had already contacted the referees.

I took this matter up with the hospital concerned who immediately acknowledged the error and that the individual’s wishes had been overlooked by contacting the referees. They said that they had put revised procedures in place to avoid this happening again.

A fundamental principle of the Data Protection Acts is that personal data should not be disclosed to third parties without the data subject's consent or unless one of the exemptions provided in section 8 applies. In the circumstance, I found that contacting referees without consent is a disclosure in contravention of section 2(1)(c)(ii) of the Acts which provides that:

(Processing is defined in the Acts to include disclosing data).

In this case, insufficient care appears to have been taken by the organisation to ensure that appropriate guidance was provided to staff involved in the recruitment process and that clear procedures were in place which reflects best data protection practice in regard to the contacting of referees. In my decision, I advised that written consent should be obtained to have reference enquiries taken up and that this should be exercised only in respect of candidates who are being short listed or to whom a provisional offer is being made.

In another case, the personal data of some 260 employees and former employees of a major financial institution were disclosed to more than 100 prospective job applicants by the institution’s recruitment agency. The institution had forwarded a spreadsheet of vacancies and job profiles to the agency and a file was attached inadvertently giving details of people who had filled these jobs. The details were name, role, line manager, details of previous employer, start date, starting salary, previous salary and previous job title.In no way should this information be released .While the recruiting agency had controls in place to ensure that personal data was not disclosed, nevertheless an employee deliberately overwrote those controls when he was having difficulty with the system in order to circulate the spreadsheet expeditiously.

From my enquiries, I was satisfied that the contracts in place between the data controller and the recruitment agency (who were a data processor within the meaning of the Acts) met the requirements of section 2(C) (3) of the Acts which specifies the contractual provisions relating to security measures which ought to be in place between a data controller and data processor.

I also found that section 2(1)(d) of the Acts was contravened in that an unauthorised disclosure in respect of personal data was made inadvertently to certain third parties, as a consequence of persons employed by agents of the controller not complying with the relevant security measures required by section 2(C)(1) and (2) of the Acts.

In my decision, I emphasised that data controllers must make their staff aware of their data protection responsibilities through appropriate training and/or the availability of an internal data protection policy. An internal policy should reflect the eight fundamental data protection rules, which should be enforced through supervision, audit and regular review particularly in terms of constantly reemphasising security awareness amongst staff and management. While such an approach may never give 100 per cent protection against individual human error, it may help to satisfy me in any given case that a data controller has taken reasonable measures to comply with the security requirements of section 2(C)(1) and (2) of the Acts.

As a similar type incident by another agency was the subject of Case Study 6 in my 2003 Report recruitment agencies must be extra vigilant and I intend to conduct a review of their data protection systems in the coming years.