Demonstrating consent

Published: 15 February 2024

The complainant was approached by a recruitment agency of whom they had previously been a client.

Background
The complainant was approached by a recruitment agency of whom they had previously been a client. The recruitment agency alerted the complainant to a vacancy that appeared to match the complainant’s skill set.

The complainant agreed to meet the recruitment agency to discuss the vacancy further. During this meeting, the complainant informed the agency that they did not wish for their details to be shared with the recruiting company at that time but would read over the job description and consider their options.

In the meantime, whilst carrying out duties in their current job role which included liaising with external companies, the complainant was alerted by a company that the recruitment agency had shared a version of the complainant’s CV with them.

When the complainant approached the recruitment agency with their concerns, they were assured that the CV details were anonymised, and they could not have been identified from the correspondence. The complainant had suspicions that this was not the case owing to the fact the recipient of their CV had clearly been able to identify them from the information received. It was at this point the complainant felt they needed to make a formal complaint to the ODPA.

Upon the ODPA conducting an investigation, it transpired that the recruitment agency had included the complainant’s name in the subject heading of the email, thus negating any anonymisation of details within the CV itself.

When approached by the ODPA, the recruitment agency stated that they had the complainant’s consent to share the CV. However, when asked to provide evidence of that consent, they were only able to point to a meeting note that implied consent had been given by the complainant for the sharing of their personal data.

The ODPA found that the recruitment agency had been unable to demonstrate that they had specific, informed and freely given consent from the complainant that would have allowed them to share their personal information in an unredacted or otherwise not anonymised format.

Learning points
There are three lessons to learn from this incident.
  • Firstly, anonymisation is a valuable tool that allows data to be shared, whilst preserving privacy, but the preservation of privacy must be stringently ensured. 
  • Secondly, The Data Protection (Bailiwick of Guernsey) Law, 2017 is unequivocal in stating that it is a controller’s responsibility to ‘clearly demonstrate that the data subject has given the consent’, this must be ‘presented in a manner which is clearly distinguishable from other matters’. 
  • Thirdly, organisations must keep in the forefront of their minds the very real harm their actions can cause to people’s careers, reputations, and personal lives due to their data being mis-used.