Home > Spotlight
Mind my data Click to visit the homepage
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

Is your employment agency committing a criminal offence?

Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissioner’s Office (ICO), unless they are exempt. Notification is the process by which an organisation's data controller gives the ICO details about their processing of personal information. Failure to notify is a criminal offence - unless the organisation is exempt from notification.

Exemption is determined by the organisation themselves and there is guidance on the ICO's website to assist in this process. However, Advertising, marketing and public relations for others is not an exempt purpose and for the majority of employment agencies, advertising jobs on behalf of other organisations constitutes their core business. Therefore, any employment agency that advertises jobs on behalf of other organisations is highly unlikely to be exempt from notification. As such, if they have not registered as a data controller then the employment agency owner or its data controller is likely to be committing a criminal offence.

Whenever possible, you should always ask for an employment agency's registration number, or you can check the register of data controllers. Don't be fooled either by thinking that just because an employment agency is registered with the Recruitment and Employment Confederation (REC)New window that they have notified, because the REC have told me that they do not specifically check to ensure that their members have notified; if required to do so. Instead, each REC member simply has to complete a self assessment questionnaire every two years and the REC accept that. I find this rather disturbing.

However, the REC did tell me that they have in place a program of mandatory inspections as a condition of membership:

'Each month we select a number of corporate members to be visited by a REC Assessment Officer and assessed against 10 areas of REC standards and industry regulations, again this includes registration with the ICO. Any agency that fails and does not provide evidence of compliance within a 6 week deadline can be subject to disciplinary action'.

But the REC has thousands of members so just how many do they check each month, and is disciplinary action enough for criminals? Shouldn't the REC report their members to the ICO? I get the impression that the REC do not see this a s serious matter... and there's your problem. When I contacted some of the REC's members and asked them to provide me with their data controller registration number they failed to respond. Why can't the REC simply insist that ALL members display their data controller registration number at the very start of their privacy policy. Or better still, why don't the REC add a field to their member registration form that requires the member to enter their data controller registration number so that it can be checked by the REC as part of the membership process? And if the member doesn't need to notify then they could enter the reason in text box below. I could make those changes in five minutes.

So if you are contacted by an employment agency about a possible job with another company then the chances are that agency has a legal requirement to be registered. If they are not or if they refuse to provide their data controller registration number then you should report them to the ICO. You definitely should not be giving them your information.

Also see notification