Proposed changes to the EU’s Data Protection Directive could leave recruiters facing an administrative burden and large fines for non-compliance, says John Hayes, partner at law firm Irwin Mitchell.

On 4 November, the European Commission launched a policy review to update the EU’s 1995 Data Protection Directive. The public consultation ends on 15 January and will then be presented to the European Parliament. Readers can participate in the consultation here: http://ec.europa.eu/justice/news/consulting_public/news_consulting_0006_en.htm.

Hayes explains the EC wants individuals to have more control of their online personal information, in terms of how it is to be used and how long it is retained for, especially by social networking sites such as Facebook.

Hayes says that this means individuals will need to be informed by recruiters, as controllers of personal data, about how and by whom their data is collected and processed. Recruiters will need to provide individuals with clear data protection policies and also ensure, once an individual no longer requires the agency to find them work, that the personal data is removed completely and no longer provided to prospective employers, if asked by the individual to do so.

Hayes told Recruiter that the policy review also has implications for collecting data from online resources, such as social networking sites. Recruitment agencies will have to ensure that the data collected is data which an individual has consented to being obtained. 

The question this poses is how would an agency know that an individual has asked for the data to be removed or even that the data can be shared and used by other organisations? Organisations will have to ensure that they obtain the consent of the individual before using the personal data. If the data is used without the permission of the individual, then the data controller/data processor could be liable for a fine of up £500,000 for not complying with their obligations under the Data Protection Act.

Hayes says: “The proposals would definitely add to the administrative burden on recruitment agencies collecting data, with potentially large fines for non-compliance.

“When obtaining data from third parties, recruitment agencies will need to be sure that the data subject has consented to it being shared and hasn’t requested its deletion. This could be done by including warranties and indemnities in the agreements with third-party data providers.”