What should an agency tell you about personal data?
The agency should give you a privacy notice when they collect your personal data. This privacy notice should state:
•their contact details;
•why they are processing your data and what is their legal reason for doing so;
•if they are relying on legitimate interests, what those legitimate interests are;
•how long they will store your personal data for;
•that you have a right to request that they correct any incomplete or inaccurate data about you;
•that you have the right to request that they erase your personal data;
•that you have a right to complain to the Information Commissioner’s Office (ICO);
•that if you have given consent, you can also withdraw that consent; and
•whether they will use automated decision-making or profiling to assess your suitability for roles.
Right to informed consent
For your consent to be valid you must know what you are consenting to. To give valid consent you must give a positive indication of your consent, such as by ticking a box - an agency cannot accept your silence as consent or use a pre-ticked box. However consent is not the only legal basis that they can use to process your data. If the agency does not need consent to process your data they should not ask for it.
Right to withdraw consent
if you have given consent you will have the right to withdraw your consent. The agency will have to stop processing the data that you gave them but they can continue to process other data if they rely on another legal reason for doing so.
Right to object
You have the right to object to your data being processed. The organisation can then only process your data if it has a compelling legal ground to do so.
Rights in relation to automated decision making
You have a right not to be subject to a decision based on automated processing unless you have given your explicit consent. However, the agency will not need your consent if their process is not fully automated.
Right to make a Subject Access Request (SAR)
If you make a SAR then the agency should respond to you within one month, this can be extended to a further 2 months in certain circumstances. The agency should not charge you to respond to your SAR unless for example you have made repeated requests for the same information. The agency could refuse to comply with your request for the same reasons.
Right to data portability
Where technically possible, you have a right to have your personal data transferred directly from one organisation to another. However, this does not include having your data passed to another organisation without your knowledge.
Right of rectification of inaccurate or incomplete data
You have the right to request that the agency corrects any incomplete or inaccurate data they hold on you. The agency should respond to your request within one month.
Right to erasure
this is also known as the right to be forgotten. You can request that the organisation remove all your personal data. However, this is not an absolute right - the organisation can keep your personal data if they have a legal reason for doing so. If you ask for your data to be erased the agency may ask whether you just do not want to hear from them for a period of time or whether you want your data to be permanently deleted? As organisations cannot keep lists of people whose data they have deleted, the agency may still contact you if later on they find your details on a jobs board or a social networking site. If you have requested for your data to be forgotten the agency should tell any third parties that they have passed your data to that you have filed a request to erase. They must also to the same. Agencies are required to keep certain records such as ID or right to work checks and payroll records for certain periods of time. These obligations will override any request to erase data or any objection to processing for so long as they must keep the data.
An organisation must have your express consent to send you direct marketing.
Personal data breaches
If the agency suffers a data breach eg a loss of theft or personal data, they must inform the ICO. If there is a high risk to you, they must also tell you.Further information about data protection can be found on the https://ico.org.uk.