Reply to: recruiter spam and removing my details from agency databases

thanks for the replies.

yeah email spam is easy enough to resolve..

i was more interested in privacy concerns ...

having the right not to have your details on a third party database (which would probably get resold) seems like a basic human right to me...

if i don't have the right to have my detais removed, perhaps sending an anonymized version of the cv is an option. comments?

There's a big difference between "can be deleted" and "must be deleted". If you read your own link, you'll see it doesn't say anything about organisations having to delete data. It just gives lots of advice about when they might want to consider deleting it, and reminds them they have an obligation to store it securely whilst they do retain it.

E.g., from your link:

The exact wording of Principle 5 is "Personal data shall be accurate and, where necessary, kept up to date". Whilst an employer that's recruiting for a permie or a contract role almost certainly wouldn't be able to successfully argue that they had a legitimate business reason for retaining unsuccessful applicants' CVs, recruitment agencies that service many roles on behalf of many end user organisations could easily argue that they have a legitimate business need to be able to cross-check information you give them for consistency across several years and different roles you've applied for. Whether you express an intention never to use a particular agency again or not is a moot point to them: they're not retaining your information for your benefit, but for a legitimate business need where there is a "future value" of the information for fraud prevention purposes.

I've worked closely with the DPA too - I used to work in the Police Service. "For its specified purpose" in the context of recruitment can be taken to mean for the purpose of conducting pertinent checks as to your suitability for hiring, now or in the future. We all know that Recruitment Agencies definitely do retain our CVs long after the roles they were submitted for have come and gone. And it's easy to demonstrate that that the ICO can and does prosecute agencies when they break the law (e.g. by not registering with the ICO as a data processor). Do you have an example of even a single agency being prosecuted for retaining CVs for a period that was deemed to be "too long" for the purpose of selecting and vetting potential contractors and employees? Because I can't think of a single successful prosecution for that.

Further to what BB said principle 5 states data can be deleted once it's no longer needed - Principle 5 of the Data Protection Act - Guide to Data Protection Act

Many of the recruitment companies who have had my data, email me to inform me that if I don't send them an updated CV they will delete/remove my details from their database.

Some do this about 8 months after I've last had contact with them others take 4 years.

One thing that needs to be remembered is that if you ever give your details to one of those jobsites they may continual give your details to recruitment agencies and it may be the same one. So the agency will have to keep some information about you i.e. name, email address and phone number to ensure they don't contact you.

Sorry to disagree with you, but you are wrong. And I worked with the DPA \ IC.

An organisation can only hold information electronically or other medium, for its specified purpose. Once that purpose ceases to exist, the Act states the data \ information must be destroyed. Not destroying data \ information no longer required is an offence.

In this example, someone submits their cv and details to an agency with the agreement to find suitable work. That's fine. The agency can retain the info even if the person isnt actively looking since there is a pre disposed agreement between the person and the agent to hold the data \ info for future work.

However, once the person informs the agency (or any other business for that matter) they no longer want them to look for or source suitable work, the agency's need to hold the data \ information ceases to exist and, under DPA \ IA the data must be removed or destroyed.

An agency is contravening the DPA \ IA if it retains information on a subject it no longer needs and by telling the agent you no longer have any intention of using it, the agency is flouting the Act if it does not comply.

Think you'll find Principle 5 of the DPA \ IA refers here.

In any event, if in this case, the contractor updates their cv and the agent doesnt hold a similar up to date version (because the contractor will not forward one as he \ she doesnt want to work with the agency any more) the agency is also in contravention of the DPA \ IA by holding out of date data.

http://www.ico.gov.uk/for_organisati...rinciples.aspx

http://forums.contractoruk.com/busin...e-muppets.html

HTH

Holding on to an old copy of your CV so you don't contact them again with an embellished version at any point in the future is a legitimate need. Provided they had your consent to hold your information in the first place, they don't need further consent from you to continue holding your information for the purpose of maintaining a record of what's gone before. And, as for e-mail addresses, when you tell organisations not to contact you again, how else are they going to know which e-mail addresses they shouldn't contact (even if they come across them again) unless they maintain a Global Suppression List? Of course, such a list necessarily requires them to retain information about the very addresses they shouldn't contact.

When I say can't delete, I was talking about access rights, some of these agents were working in ASDA last week, would you give them access right to delete from your DB.

There are people at the agency who have delete rights, just getting hold of the is a problem.

The easiest thing to do it just create a new e-mail alias and buy a PAYG phone. Once you have a gig switch them both off.

I also had a little app on my android that automatically rejected withheld numbers, but this is more risky as sometimes people you do want to speak to call withheld.

I'm sorry to be the one to inform you, but you don't actually have a right to require organisations to remove information that they hold about you (including your CV) from their records.

It's amazing how many people misunderstand the DPA, and assume that it gives them far more rights than it really does. This is the full text of the Act, and this is a summary of eight of its Key Principles. You'll notice that at no point is any right to require information that organisations once legitimately collected about you to be removed from their records mentioned.

You have the right to require organisations to stop contacting you. You have a qualified right to require them not to share the information they hold about you with anyone else without your consent. You have a right to have factually incorrect information about you corrected. And, in order to collect information about you in the first place, organisations require your consent. Also, most businesses are interested in doing business with people; part of that outlook sometimes involves agreeing to do things they don't strictly have to do. However, once your consent has been initially obtained, there's no retrospective right to have information that has been collected about you deleted.

I once worked for a company that provided identity verification services for organisations like online casinos, dating websites and the like. Basically, anywhere that you had to prove your identity/age/etc in order to engage in a transaction or establish trust. Just occasionally, you'd get someone contacting the organisation I was working for, and demanding that their details be removed. (Usually they'd rediscovered their information was being held by a third party they didn't immediately recognise by requesting their own record from a credit reference agency, or sometimes they'd simply change their minds for whatever reason and demand to get their details back). On occasion, to prevent bad publicity, our organisation agreed to remove the details in question. Other times not. If some kid registered for a dating agency using their dad's credit card (who had the same name), for example, in order to try and falsely persuade older women that he was of their age to fraudulently misrepresent himself to them, that's kind of the type of thing they'd want to keep a record of, however the subject of the data himself might feel about it. It's not always about protecting the person whose consent you originally obtained; it's also often about protecting the people that individual would like to do business with.

Similarly, agencies have a right to retain your CV, so that you don't submit one later that is greatly more impressive than the one you would have preferred them to have removed from their records. Occasionally, if you have valuable skills and you have a legitimate reason for requesting they remove your CV, they might agree to your request, but they're under no compulsion to do so. E.g., plenty of people have a "management experience emphasis" and a "technical experience emphasis" version of their CV, and some even have a version of their CV that is organised by chronological appointments and another one that is organised by relevant skills. Many agencies will agree to remove one or the other from their records, or withhold one or other less relevant versions, when recruiting for roles for which one or other version would be more appropriate, provided they contain largely the same record of your achievements and experience.

The only time I've ever got the ICO involved in a case of an agency playing dumb and pretending to remove my CV (but not really doing so), was with The IT Job Board and Progressive (which you'll find commonly and more accurately referred to as "Regressive" amongst contractors). I'd made the mistake of doing a couple of gigs through Regressive back in 2001 or so, and so my CV had ended up in their files. Both they and TITJB are part of the same group of companies, but are not the same legal entity. When TITJB kept sending me unsolicited e-mail and 'surveys' asking how much I was making on a regular basis, and they failed to stop after I'd 'unsubscribed' using their comedy website, and after I'd finally called and sent a registered letter informing them that I required them to delete my details as they'd never obtained my consent to hold information about me in the first place, that's when I got the ICO involved. [When I'd called TITJB, I'd had the joy of speaking with what appeared to be some work experience youth. He first asked me how to spell my name – as both Rachel and Pierson are names that have possible alternative spellings when you merely hear them spoken – then announced that he "couldn't find my details anywhere" in their system. When I told him to get his act together, he typed a few keys, then said "right, that's them deleted" in a voice that was smug and apocryphal in equal measure. Still, it was a useful call to be able to refer to a recording of later when the ICO asked what steps I'd taken to try and get them to comply before finally asking them to deal with the problem.]

So, if I were you, and it's an agency that legitimately holds a CV you once sent to them that you're talking about, I'd forget it. Ask them to stop contacting you, and if they fail to do so complain to the ICO about that alone. Only make a fuss about them deleting your CV completely if they've never had your consent to hold it in the first place, and an annoying youth mistakenly tries to treat you as if you're stupid and annoys you into pressing the matter further.

This is not correct. It's actually illegal to retain data \ information when there is no specific need to hold it under the DPA \ IA. When you tell an agent you no longer agree to them seeking work \ roles for you, they no longer have a legal requirement to hold your data \ cv.

Any agency that has a system which prevents the deletion of customer records, in this case cv and personal details of ex job hunters, is in controvention of the above Acts.

Just set an email rule up that anything from the agencies go straight to your delete folder.

As regards getting your cv removed from an agency database, if they refuse, just mention the Data Protection \ Information Act only allows them to retain data for a specific purpose ie to find you roles. Since you no longer want them to find you roles, they have no legal right to retain your data.

If they refuse to remove your cv and details, tell them you'll contact the Information Commissioner.

My approach is have an email dedicated to just your CV, when you are not looking turn this account off so agents get undeliverable bounces which most systems take off automatically

Life is too short to try, filter into folder and delete.
It's not that they will not delete, they can't, but will not tell you that.
Trying to find someone you can't will waste a lot of time.

Next time set-up an email accout just for this, when you are not looking for a role don't open it.

HTH