I’m struggling to get an answer from the ICO, as to how the companies that pay to use Monster’s CV database obtain explicit consent to process any sensitive personal information that individuals might have added to our Monster CVs.
Monster operates a UK job portal where members can upload their CVs and share them with selected third-parties. These third-parties; individuals and organisations that will often be unknown to Monster’s members, pay Monster to gain access to their CV database to seek out suitable candidates for employment. The problem is, a typical CV might very well contain sensitive personal information about its owner and if so, it’s not clear how the third-parties that pay to access the Monster CV database satisfy a condition for processing this sensitive personal information. The question therefore is; how does a data controller that we have no prior relationship with, obtain our explicit consent to process the sensitive personal information that we may have uploaded to the Monster CV database? I’ve raised the issue with both Monster and the ICO and neither of them seem to give a toss and this is why I’ve started taking companies to court to claim compensation. Unless it’s marketing by phone, the ICO will nearly always try and support the data controller, particularly if they’re a well-known organisation. And that’s only if they have the competency to do the job.
What constitutes sensitive personal information?
An obvious example of sensitive personal information, is where someone has stated in the CV that they’ve uploaded to Monster, that they’re a member of a trade union. This information will constitute sensitive personal information. According to the ICO’s website, Sensitive personal data means personal data consisting of information as to:
- the racial or ethnic origin of the data subject;
- his political opinions;
- his religious beliefs or other beliefs of a similar nature;
- whether he is a member of a trade union;
- his physical or mental health or condition;
- his sexual life;
- the commission or alleged commission by him of any offence or
- any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
In light of this, it’s not unreasonable to conclude that a percentage of all CVs stored on the Monster CV database will contain sensitive personal information. For example, by declaring that they have a minor medical condition or that they’re physically impaired. And, as a rule, before a data controller can process senstive personal information, they will need to obtain explicit consent from the individual whose information they wish to process. I say “as a rule” because there are exceptions. For example, if an individual has deliberately made their sensitive personal information public, it’s unlikely that the data controller will need to obtain explict consent.
As I want to focus on the third-parties that use the Monster CV database, I’m going to assume that Monster themselves obtain explicit consent from the individuals that register with them directly.
What constitutes explicit consent?
Here’s what the Information Commissioner says about explicit consent in her DPA – legal guidance:
There is a distinction in the Act between the nature of the consent required to satisfy the condition for processing and that which is required in the case of the condition for processing sensitive data. The consent must be “explicit” in the case of sensitive data. The use of the word “explicit” and the fact that the condition requires explicit consent “to the processing of the personal data” suggests that the consent of the data subject should be absolutely clear. In appropriate cases it should cover the specific detail of the processing, the particular type of data to be processed (or even the specific information), the purposes of the processing and any special aspects of the processing which may affect the individual, for example, disclosures which may be made of the data.
Here’s the thing; if explicit consent needs to be “absolutely clear”, then how can anyone give their explicit consent to a third-party that they have no prior relationship with? In many cases, we won’t even know that the third-party organisation exists. My understanding of this guidance therefore, is that Monster’s third-parties will need to obtain explicit consent directly from the individuals that the CV data relates to – if a CV contains sensitive personal information. And that those individuals would likely have a valid claim for compensation under Section 13 of the DPA if a third-party failed to obtain their explicit consent.
Now, if the third-parties that pay to access the Monster CV database were acting only as data processors, under a data controller/data processor contract with Monster, then Monster would likely remain the overarching data controller. As such, Monster could likely disclose the sensitive CV information to its third-party data processors in accordance with a data controller/data processor contract. The third parties, acting only as data processors, would not need to seek explicit consent from the individuals. But Monster has made it clear that the third parties remain data controllers for their CV database. Monster clarified as follows:
When these third parties access your CV though the Monster site they are not acting as agents of Monster. They are not data processors on behalf of Monster. Rather, each of them acts as data controller of your personal data. Any notifications required to be given to you (as a data subject) by a third party (acting as a data controller) are a matter for you to take up with that third party.
Having clarified that the third-parties are definitely data controllers for our information, I fail to see how Monster’s job portal works and remains compliant with the DPA. How do the third-party data controllers – the employment agencies etc., that we have no prior relationship with, obtain our explicit consent to process the sensitive CV information obtained from the Monster CV database? Perhaps Monster is able to pass the explicit consent that we give to them to the third-parties.
Can Monster pass explicit consent to the third-parties?
Assuming that the third-party data controllers that pay to access the Monster CV database are not able to rely on an exemption to process sensitive personal information, and assuming that the Monster CV database is not open to the public, I fail to see how a commercial third-party that we have no prior relationship with obtains our explicit consent. I sought clarification from the ICO and the ICO’s Mary Jervis told me (PEC0675919):
“Indirect explicit consent” is not defined in the current legislation, the General Data Protection Regulations (GDPR) which come into force 25 May 2018 has a higher bar for consent than the DPA. Guidance for GDPR is being worked on and the Overview to GDPR is where you will find the latest information.
Quoting the GDPR in response to a DPA enquiry doesn’t help me at all. I sought further clarification and Ms Jervis clarified:
In order for an organisation to comply with Principle 1 of the DPA they need to process the personal data fairly and satisfy a condition to process from Schedule 2, and in the case of sensitive personal data at least one condition from Schedule 3. Consent and explicit consent are not the only conditions to process which an organisation may be relying on.
As I am sure you appreciate the purpose of making enquiries to Advice Services is not to make assessments as to whether it likely an organisation has complied with the DPA or not.
Ms Jervis has copied and pasted the DPA but she has still not answered my question. And look how she’s attempting a second time to divert my question away – that I need to request an assessment. I don’t want to submit an assessment; I just want an answer to this fundamental question. Are we saying that after nearly 20 years of the DPA, the ICO cannot answer this fundamental data processing question without me having to submit a formal complaint against Monster? By the way, the “other conditions” that Ms Jervis is referring to are unlikely to apply in this situation; where commercial third-parties are paying to access the CV’s in a secure area.
All I want to know is, according to the Information Commissioner: CAN EXPLICIT CONSENT BE PASSED FROM ONE DATA CONTROLLER TO ANOTHER? Can Monster pass explicit consent to a third-party? Yes or No? Can the ICO answer this fundamental question or not? And if explicit consent cannot be passed, then are they going to contact Monster and tell them? People have up to six years to claim compensation under the DPA as far as I’m aware.
I pushed Ms Jervis for an answer but she never provided it. So, I asked her to forward my information about Monster to the ICO’s Intelligence Hub for further investigation. I didn’t hear back so a few weeks later I asked Ms Jervis to confirm that she had forwarded my concerns to their Intelligence Hub and she replied as follows:
As I said in my email of 21 August, which I posted to you on 22 August 2017, I will not be responding to any more enquiries on the issues you are continually raising. Over the previous months these issues have been answered. The same issues have been dealt with by this office in the past.
It seems to me that she’s just brushed off my question yet again. I don’t know why she’s getting on her high-horse when she’s not actually answered the question. “I will not be responding to any more enquires”? You quoted the GDPR to me in response to a DPA question you silly sod! Ms Jervis went on to say:
With regards to your final point, I confirm your enquiries have been actioned in the appropriate manner.
Thanks for the clear explanation. Does this mean that she has passed the matter to the ICO’s Intelligence Hub or not? It appears that Ms Jervis is incapable of giving me a straight answer about anything. She’s deflected my question twice, and now she’s being pedantic about whether or not she forwarded my enquiry. If your jaw has dropped at the level of incompetence demonstrated here then let me assure you, this is par for the course at the ICO. In case after case, this is the kind of nonsense that I have to deal with. It’s all smoke and mirrors. Ms Jervis doesn’t know the answer, she can’t be arsed to seek out the answer, and now she’s getting snippy with me because she lacks the competency to do the job she’s paid by the taxpayer to do. AatICO!
I’ve now had to ask my MP to write to the Information Commissioner to get an answer to the question on my behalf. We’re waiting for a response from the Information Commissioner. Failing that, my MP will ask the question in Parliament. This is the nonsense that goes on at the ICO.
How Monster deals with data protection enquiries
Finally, allow me to demonstrate just how keen Monster is to deal with data protection enquiries – not! The following paragraphs have been taken from some of the e-mails that I’ve received from Monster and, in my view, they serve to demonstrate that Monster would rather close the accounts of anyone that complains about their rights as a data subject, than endeavour to put things right.
On the 8 March 2017 Monster said:
On the 1 March 2017 Monster said:
On the 27 February 2017 Monster said:
If you have a Monster account and wish to remove your CV or delete your entire account please provide me with your email address connected to the account along with your address linked to the account so that I can follow your request.
And in 2010, I opted out of all direct marketing with Monster under Section 11 of the DPA. Opting out of all direct marketing from a data controller is a key statutory right afforded to all individuals that can now be enforced in court for up to six years after the event. Here’s what Monster had to say about it:
We refer to your recent request that we cease processing your personal data for the purposes of direct marketing in accordance with the Data Protection Act.
“We use the information you provide us to deliver the products and services we offer, and to operate and improve our sites. Our services may include the display of personalised content and advertising. We may use your information to contact you about Monster site updates, conduct surveys, or informational and service-related communications, including important security updates.”
If you no longer consent to us to using your personal data in order to provide personalised advertising, then you may delete your Monster account and the data contained in that account at the following link: http://my.monster.co.uk/Account/Settings.aspx. Alternatively, please let us know if you would like us to delete your account for you.
Unless they’re able to convince the ICO that the service cannot be delivered without the marketing element – in which case the marketing might be deemed implied, Monster, like any other data controller, must comply with Section 11 DPA. I’m currently in the process of taking a well-known mobile phone service provider to court because they cannot stop targeting me with direct marketing.
This is a serious matter, yet I find the contempt for the rights of individuals by Monster and by the ICO to be utterly ridiculous! You can see why I’ve started taking companies to court – the ICO doesn’t give a toss! I’ve asked Monster to confirm whether they are of the view that they pass indirect explicit consent to the third-party data controllers that pay to use the Monster CV database but they have not answered this question. I rest my case. Monster is able to carry on regardless because the ICO couldn’t care less.
I’ll update this article once I’ve heard back from the ICO.