It was exciting for him, anyway. He was a big fan of the show and an even bigger fan of the actress. I smiled at his enthusiasm, but soon stopped smiling when he told me how the number came into his possession. He’d interviewed a candidate for an office job who’d previously worked as a PA at a talent agency. Her referees included clients she’d done particularly good work for, and as part of her application she’d given the Eastenders star’s phone number.
In a case like this we don’t need the law to tell us what’s right and wrong. Using this data for personal reasons completely unrelated to the original job application would have been ridiculously unprofessional and a clear violation of the actress’s privacy. It would have put his own job in jeopardy and also risked souring the job applicant’s relationship with her referee. Thankfully my friend snapped out of his fantasy before doing any damage. Recruiters and HR professionals aren’t doctors; they don’t have to take a Hippocratic oath but they do have to respect the people they work with and the information that comes their way. At Jane Systems we see evidence of that respect every day. We work with HR professionals throughout the public and private sectors and what consistently shines through isn’t just their respect for privacy, it’s the fact that this respect is woven into the fabric of their actions.
Right now that’s just as well. GDPR becomes law on Friday, and much of the casual rule-bending that characterizes bad practice will now have more serious and legally actionable consequences. We’ve already had a reminder this week of how star-struck fans can overstep the mark. Ed Sheeran’s treatment for a broken arm and wrist at Ipswich Hospital last Autumn led to a data breach that’s seen one person fired and another given a written warning. It was found that they “accessed patient information without legitimate or clinical reason”. There’s no evidence that their intentions were malicious or that Sheeran’s treatment at the hospital was anything less than excellent. So what’s the big deal?
The big deal is that the right to privacy is fundamental, and it’s comprehensively protected by law. GDPR affirms that personal data should be sought and used only for specific, relevant and lawful purposes. Once those purposes have been served, unless you have a lawful reason to keep it you need to delete it, and if you do keep it you must do so securely. Any loss of data you’re storing must be formally reported within 72 hours. If you don’t play by these rules, you may very well find yourself out of the game.