Here are answers to two more questions arising from next year’s GDPR, this time on website recruitment and data breach notification. More to follow in this series soon.

We have a contact form section on our website to allow people to submit details (name, email, phone number & CV) if they want to be informed of future vacancies in our business. Is this allowable under GDPR or should we remove it?

The GDPR will not prevent organisations from including such sections on their websites. As the collection and use of such information would amount to “processing” for data protection purposes, however, the employer will clearly be obliged to comply with the new obligations under the GDPR, e.g. providing much more information to individuals about what data is collected, how it will be used, who it will be shared with, etc. Specifically you would also be advised to include on the site information about how the decision will be made (if any such decision is made) to filter the vacancies to things the candidate might be interested in. Is it salary range, particular departments only, based on the formal qualifications entered, etc.? Is that decision made by a human being or a computer?

If a computer, does it need all the information your website requests in order to perform that function. Does the human being? In other words, are you sure that you are not asking at the website input stage for any data that isn’t necessary for the taking forward of your candidates’ interest to the next step? Make a record of your reasoning in this respect.

You will also wish to include somewhere reasonably prominent on the website details of the candidates’ rights and obligations in relation to the data submitted through it. The obligation is essentially to keep you updated if their details change, while the main rights are to require you to provide the usual data subject access to how you have recorded and used their information, to correct anything you have got wrong, to have all or any of it deleted and to complain to the ICO if they see fit.

If you cease to send vacancy details after, say, 6 months then you should say so up front and delete the data at that time unless the individual expressly makes a fresh application or otherwise consents to your extending his time “in the system”. Do note that you will need positive consent to this, i.e. “Check the box if you want us to keep sending you vacancies”, not “Check the box if you want us to stop”.

Just as a side-note from the employment law perspective, it is not generally wise for employers to maintain lists of candidates just in case something comes up, without its pruning those lists on a regular basis. Otherwise one day you will fail to send details of a vacancy the individual thinks he/she should have got, and then you are into issues of why – was it race, sex, pregnancy, etc. – with the burden on you to show what happened. So just as for data protection purposes, the commitment to keep someone’s details “on file” (whether paper or a recruitment website page of this sort) should be expressly time-limited. That is the case whether you are holding that information as employer in relation to your own possible vacancies or as a recruitment business for other people’s.

Does an employer have to inform its employees if there has been a data breach by it or one of its data processors?

Potentially, yes. There are new data breach reporting obligations in the GDPR.

If there has been a data breach, the data processor must notify the data controller of the breach “without undue delay”. The data controller must then notify the ICO of the breach without undue delay (where feasible, within 72 hours of the breach) unless the breach is unlikely to result in a “risk” to the rights and freedoms of the individuals. Where the breach is likely to result in a “high risk” to the rights and freedoms of individuals, the data controller must also notify the individuals directly about the breach.

So if, for example, an outsourced payroll provider loses the salary and bank details of certain employees it would be required (as the data processor) to notify the employer (as the relevant data controller) of the breach without undue delay. The employer must then notify the ICO also without undue delay and, where feasible, within 72 hours. Furthermore, as the breach is likely to result in a high risk to the rights and freedoms of employees (because the loss of salary and bank details could leave them at increased risk of identity theft) the employer must also notify the employees directly about the breach.

ICO Guidance is expected on data breach notification obligations before the GDPR comes into force.