Home > News
Mind my data Click to visit the homepage

Nigel Frank move into the takeaway business

Employment agency Nigel Frank lifted my information from LinkedIn without any thought to my rights as a data subject or the LinkedIn user agreement.

Nigel Frank

Like many of you, my work's e-mail address constitutes my personal data because it identifies me as a living individual: I'm that individual who works for that company. If a company wants to send electronic marketing to my work's e-mail address then fair enough, because it's business to business, they don't have to be concerned about obtaining my consent to send me electronic marketing (PECR), but they are still legally obliged to process my personal data fairly. This notion that just because you can view personal information on a website that you're entitled to take it and process it is so ridiculous that, in my view, there must be a criminal element to it. This is because, in this day an age, it's highly unlikely that a data controller isn't aware that they have a legal obligation to process personal data fairly.

Nigel FrankNew window claim to be a "Global leader" in the recruitment industry. In Feb 2014 Nigel Frank sent an e-mail to my work's e-mail address to "introduce" one of their candidates to me. Upon receiving the e-mail my first thoughts were... why is this company that I've never heard of before contacting me to promote their candidate? I submitted a Subject Access Request (SAR) to find out how Nigel Frank obtained my information. That's right folks... if your work's e-mail address identifies you as a living individual then it's likely that you can submit an SAR. At the end of the day it has nothing to do with my employer.

Nigel Frank waived the £10 SAR fee and responded as follows:

One of our permanent consultants at our head office in Newcastle found your details on Linked In on Friday and added the contact details contained on your profile to our database. Our usual practise is that contact details should not be entered on to our database until we have established contact and qualified whether you are interested in utilising our service which is typically within a week. Unfortunately, on this occasion, your details were added and for some reason not restricted for correspondence from us.

When a new record is created a fair collection notice is generated within a few weeks so there is some  urgency in us contacting you quickly and if that fails then you will receive a prompt to act on. I must admit that this is the first time that I have been made aware of this occurring however that doesn't justify our failure. I have attached a screen print of the record that we have on file and await your instruction as to whether you wish this to be deleted or not.

I accept that we are at fault however I would recommend that if you do not wish to be contacted by potential suppliers that you remove your contact details from Linked In as it is readily accessible by the general public and used greatly by recruitment agencies. Once again, apologies for this inconvenience.

This is interesting because Nigel Frank must have accepted LinkedIn's User Agreement and one of the clearly defined Don'ts at section 8.2 of said agreement states:

[Don't] Scrape or copy profiles and information of others through any means (including crawlers, browser plugins and add-ons, and any other technology or manual work)

Seems pretty clear to me! It seems that LinkedIn do not want their users taking information away from their website so why are Nigel Frank adding information about individuals gleaned from LinkedIn to their database? And where did they obtain my work's e-mail address because it's not associated with my LinkedIn account?

Furthermore, section 3.1 clearly states that personal information stored on the LinkedIn website remains the property of the individual.

As between you and LinkedIn, you own the content and information that you submit or post to the Services and you are only granting LinkedIn the following non-exclusive license

It would appear then, that Nigel Frank - a UK-based data controller, is of the view that they can take information from a website and use it however they deem fit. That we're all their bitch! They don't appear to be interested in complying with the LinkedIn user agreement. Not only that, but they've got the audacity to have a go at me. They recommend that if I do not wish to be contacted by potential suppliers that I remove my contact details from LinkedIn. Oh, so it's my fault is it? It's my fault is it that despite the fact that Nigel Frank have accepted LinkedIn's user agreement, they've decided to use the website to populate their own database with my information? And it's my fault is it that when they couldn't find an e-mail for me on LinkedIn, Nigel Frank probably created a likely e-mail address for me? How did they know that the e-mail address was accurate? Did they just guess? And what, after showing such contempt towards LinkedIn and my personal information, they expect me to do them a favour by considering their candidate? WTF!

Don't get me wrong, I am well aware that being an utter git or a failed salesman (or both) is often a prerequisite for working at an employment agency but c'mon; the arrogance of this company is astounding! Oh, and I was opted out of all marketing with LinkedIn at the time so they wouldn't have been able to contact me by using the tools provided by LinkedIn had they tried.

Of course I submitted a complaint to the ICO and they conducted an assessment. The ICO concluded as follows:

Under the DPA an organisation must have a legitimate reason to collect and use personal data. In this instance Nigel Frank had no prior relationship with you and you had opted out of receiving marketing e-mails in your Linked In profile. Despite this they used the details on your profile to add them to their data base for the purposes of marketing.

Under the DPA the term "marketing" covers a range of activities and includes not just the offer for sale of goods or services, but also the promotion of an organisations's aims and ideals. Therefore, it includes not just the e-mail sent to you on 24th February 2014 but also the other types of e-mails regarding vacancies and asking individuals whether they wish to use Nigel Franks' services as mentioned in Nigel Franks' correspondence.

We have written to Nigel Frank to ask them to stop the practice of obtaining personal data from LinkedIn or other websites and adding it to their database for marketing purposes. We have also pointed out that they can contact individuals via Linked In who have not opted out of marketing e-mails.

I further argued to the ICO that Nigel Frank had unlawfully processed my personal information under section 55 of the DPA but the ICO didn't accept this. In a case review the ICO were of the view that it would be necessary to prove that the employee at Nigel Frank obtained my information without the consent of LinkedIn, and with criminal intent. In other words, because section 55 is not a strict liability offence then one would have to prove that the employee 'knowingly' and 'recklessly' processed my information. From my understanding, in a strict liability case mens rea (guilty intention) does not have to be proven. For example, failure to notify the ICO and register as a data controller is a strict liability offence - you can't argue that you didn't know. So unless you are exempt from notification, a data controller will be unlawfully processing personal data if they fail to notify the ICO.

In this case however, I'm still not convinced by the case review and I've got until August 2015 to contest the ICO's view. I shall probably seek independent legal advice before deciding on whether to submit a complaint to the PHSO.

I also submitted a complaint to Linked-In and they replied as follows:

Thanks for bringing this to our attention.

Your privacy is always a top concern. We've worked hard to earn and keep your trust, so we adhere to the following principles to protect your privacy:

1. We will never rent or sell your personally identifiable information to third parties for marketing purposes.
2. We will never share your contact information with another user without your consent.
3. Any personally identifiable information that you provide will be secured with all industry standard protocols and technology.

Typically if someone is not connected to you on LinkedIn they would use an Inmail to contact you. InMail - Overview and Your Network and Degrees of Connection outline how this works.

We will investigate the usage of our site by the company and take appropriate steps based on the results of our investigation.

We appreciate your concern and value your membership!

If you have further questions, please feel free to reply to this message. 


LinkedIn never got back to me so I don't know what happened.

Conclusion.

Employment agencies are one of the biggest abusers of personal data in my opinion. For example, why didn't Nigel Frank contact our HR Department with information about their candidate? It's likely that they don't want to do that because they'll have to join all the other employment agencies who are trying to push their candidates. Instead they're searching for individuals on social media to find someone who works for the company that they're trying to get in with and contacting them directly. Well, Nigel Frank have now been told. They would have had 30 days to object to the ICO's assessment and as they've not done this, they are now deemed to have accepted the view of the assessment. Thus, if they continue to directly contact individuals that they find on social media instead of using the tools provided by the website, then in my view, there's a much clearer case for unlawful data processing. There are so many employment agencies in this country doing it right, why would anyone bother with these chumps?

When Nigel Frank is operating as a UK data controller they must process personal data in accordance with the DPA. They might want to have a think too about whether they want to be seen as an company that has nothing but contempt for other companies' terms and conditions. If you receive unexpected direct marketing from this company then you might want to consider submitting a Subject Access Request and submitting a complaint to the ICO.

I've recently submitted feedback to the Ministry of Justice review about the ICO and I've demonstrated that there's a need for a change to the law that allows individuals to submit a fixed claim for compensation in the small claims court for any company that, according to the ICO, has unfairly processed their information. Until we have that law in place, the best thing that we can do is submit a complaint to the ICO.

Finally, a note to all those companies that use LinkedIn to search out people. If you want to contact someone that you find on LinkedIn then you should use the tools provided by the website until such a time as you're given permission by the individual to contact them directly. You really want to avoid the situation that Nigel Frank now find themselves in where, having being clearly advised by the ICO, it might be a tad difficult to argue that they weren't aware that what they were doing was wrong.

Nigel Frank were given the opportunity to comment on this article prior to it being published but declined to do so.

Added: 08.03.2015