To be annoyed that recruiter CCed all candidates going to job interview

[Ygritte84]

Two emails were sent with the complete list of candidates in CC, with names and email addresses. Total breach of confidentiality, right?

I work in a small industry and people know each other. I will cross some of these people in my job.

Feeling very annoyed and also starting to doubt myself seeing the competition!

I do bcc alot internally alot with my job if chasing people if not done a certain task. It is easier to type all the names in the to section as the auto email address comes up automatically and does not in bcc. I then paste it all over to another email in bcc in case I accidentally press send.

GiltEdges

Definitely the best reply on this thread. Bearing in mind the reply the OP received, I would probably be reporting it to the ICO, in fact I would have taken that route first, as the OP has now outed themselves.

@1309username

If you only have 72 hours, I’m not sure you can wait to find out if you have the job. I’ve personally had so many interviews when it took them a while to get back to me.

Also, if you wait too long, I think it minimises your complain.

While they’ll have to admit it was a wrong thing to do. They’ll also be like ‘well, it didn’t bother you so much if you were happy to wait a week to complain ‘.

The OP doesn’t only have 72 hours. The recruiter has 72 hours from the point they were notified of the breach.

a charity was fined £10k last week for not using BCC - report the incident to the organisatio's Data Controller.

I once had to do a "test" for a potential role alnogside all of the other candidates; bumped in to the person I'd had a brief handover from when I covered his former role because he'd been "asked to leave" - embarassing; I was still doing that role.
He was later on the other end of a phone call with a colleague, and said the company had decided not to fill the role "yes" replied the colleague, "they offered it to ThinWomansBrain, but she turned it down"

@Ygritte84

Also feeling on a bit of a downer - I thought I was perfect for the job, but there are older people in the pool with many more years of experience.

I would have rather not have known and gone in all pumped up!

I know in theory this had breached GDPR but I personally would be delighted to know who else is being interviewed. Knowledge is power. And even if you don't get the job how can knowing who else is up for interview possibly adversely affect you ? I just don't get it. I will understand that you now feel more anxious because you are aware of who the competition is but going for a job interview is always nerve wracking, or it should be anyway, how is knowing who else is going making that worse?

The issue about names being shared and possibly getting back to current employers of the applicants is a much more serious worry than candidates knowing who else is being interviewed so I am not saying they haven't messed up as they have but I also agree with others that if you want the job you need to complain politely and accept any remedy/ apology in good grace otherwise you might as well not go to the interview

I have just read your update. Sorry that is worse. I think I would have to tell the company about the very poor response of the recruiter . It is very difficult to know whether to do that before or after you know about the job but my instinct would be to wait until after

Yes that's a data breach, but I'd love to know who I was up against at an interview, I always try to spy the names on the visitor book when I go 😂😂

I am not satisfied with this. The recruiter should definitely report the incident to the ICO, not try and forget it ever happened!

To be fair with the information given it doesn't sound like it's met the threshold for needing to report it to the ICO, yes they should internally report but it's not a serious breach. That said if you think the recruiter hasn't reported it at all internally and you're not satisfied, go through their complaints procedure. Only when you've exhausted that is it appropriate to escalate it yourself to the ICO.

@Ygritte84

Just to clarify:

The recruiter is separate from the company advertising the job. So her mistake does not reflect badly on the company itself.

Oh but it does. I use recruitment agencies in conjunction with internal recruitment team, particularly for specialist roles. Our recruitment team oversee all communication conducted on our behalf and the agencies sign up to our protocols.

I would question the future employer's attitude to data and privacy if they don't ensure when using third parties they are paying to gather personal data.

They also potentially leave themselves open for a grievance/appeal on the process as you could quite legitimately say you spotted a risk issue, raised it and the recruiter didn't like that and you then didn't go forward (if that happened).

@name3958

I am not satisfied with this. The recruiter should definitely report the incident to the ICO, not try and forget it ever happened!

To be fair with the information given it doesn't sound like it's met the threshold for needing to report it to the ICO, yes they should internally report but it's not a serious breach. That said if you think the recruiter hasn't reported it at all internally and you're not satisfied, go through their complaints procedure. Only when you've exhausted that is it appropriate to escalate it yourself to the ICO.

Of course it's a serious breach. Job applications are supposed to be confidential. Personal data, including names & email addresses is protected by law. Leaks of this data could jeopardise someone's current job if their employer finds out they've been applying for other jobs or it could jeopardise a marriage/relationship if a partner finds out about job application they've not been told about. It's the whole point of the GDPR to protect personal information.

Just because it's not banking details doesn't mean it's not a serious breach.

@Sugarbellaella

That would be a sackable offence where I work!

I think sacking someone for what is likely to be a genuine mistake is far worse than making the mistake.

Anyone who accidentally does this is likely to be so mortified that it's not a mistake they would make twice anyway, so sacking is hardly appropriate.

OP, you may have all kinds of qualities and experience that the other applicants don't have.

I would say absolutely nothing until after the event.

@Badbadbunny you don't need to explain data protection law to me, I work in data protection, from what the OP has described it isn't a serious breach (there could be further context of course). It's a breach, it should be reported, OP has a right to complain, but that doesn't mean it's met the ICO threshold. The kind of BCC breaches that go to the ICO is where the applicants special category data is exposed, for example an AIDS charity accidentally BCC'd, I'm sure you can understand why that meets the threshold by comparison.

*didn't BCC I mean

I know of a situation where failure by a HR person to use bcc led to payouts to at least one person, and probably more. It was all within one company, where people were applying for a redundancy package. This was always confidential to the person applying. At most, they would mention it to their direct manager.

It was blamed on a 'junior' in HR, that everyone who applied received a cc'd email instead of bcc'd. This guy threatened action, and was given a payout on top of his redundancy.

I would be unhappy with the recruiter's response, OP, and I would be putting it in writing to them, or to their data protection officer, if they work as part of a recruitment company. It would make me wary of future dealings with them. I know anyone can make a mistake but that's a pretty serious one. And the recruiter should be a bit more up to speed, with GDPR, imo, if dealing with data in a daily basis.

Best of luck with the interview/ job hunt.

That’s exceptionally poor. Making the mistake isn’t a sackable offence, but not abiding by GDPR regulations (ie her response) 100% is.

I agree that you should report to the recruiter’s firm and the ICO. I would also want to know if I were the company offering the job - that’s not a recruiter I would use again (again, not because of the mistake but the response).

The police once did something similar with a crime I'd provided evidence for. Someone stealing handbags and selling them on. They sent an email to everyone who had bought one of these bags from eBay and given them a statement, with their email addresses visible.

Massive GDPR breach - they could get into real trouble and pay a big fine over this. Launch a complaint.

Yes that is a breach of data protection laws and you should make a complaint to first to the recruiter and then to the ico www.gov.uk/data-protection/make-a-complaint

Similar to @name3958 I also work in the field of data protection. From the perspective of the ICO this is a breach but not a serious one. It would be extremely surprising if any follow-up action was taken.

The recruiter’s response is really poor, however. I would expect them to at least set out what procedures they have in place to reduce risk of recurrence, training etc. Where I work this would not be a sackable offence but there would be an investigation.

Good luck at interview OP.

The recruiter has messed up. If it bothers you that much and you want to get the recruiter into trouble you need to inform the company you are interviewing with (as they are employing the services of the recruiter).

But the cats out the bag anyway and everyone is in the same boat.

Don't let this get in the way of going for the job - good luck with the interview!

Awful.

The recruiter has just advertised to you all that ye are all actively looking for a new position elsewhere.

Just awful.

What a cowboy outfit response.

Wholly unprofessional.

Massive GDPR breach - they could get into real trouble and pay a big fine over this. Launch a complaint.

Unfortunately, the GDPR, and the Data Protection Act aren't worth the paper they're written on. Yet another piece of legislation drafted and voted in by people with PPE degrees and no knowledge of the real world.

Back in the 1980s TSB had to make changes to their database about the way customer information was held due to increasing numbers having more than 1 cheque account, among other things.

A meeting was held with the Registrar in Wilmslow who said that the bank could not hold customer names and addresses in the computer database.

How the hell he thought he got his bank statement sent in the post, I have no idea. Probably he had hand written statements on vellum or something, or banked with Gringotts. He was 'persuaded' to learn the error of his ways.

Many items sold can be in default of legal regulations but it's impossible to prosecute the manufacturer because of poor wording and drafting of the legislation which is in conflict with the statutory regulations.

As a pp has said, make your feelings known before the interview. You've got the interview - if they didn't think you could do the job, you wouldn't have got that far.

Good luck

Its a data breach and now they are aware of it they have to investigate, including notifying anyone whose details were involved and contact the ICO within 72 hours of being notified by you, if a possible breach has occured. They don't need all the facts first, as they candidate the ICO once they have investigated further.
To dismiss it saying she doesn't want to draw attention to it. Wow, that is shocking.
I would report the ICO yourself. Think of what the impact/risk this breach has for you. You say there is someone else in that list who works for your company. So potentially they could inform your company you were applying for another job, as you could them. Which if you dont get the new job, could it cause you issues at your current work?
Things like that.

Its not up to you to make sure this recruiter informs their DPO or whoever should deal with things like this. But her attitude is shocking. Clearly some training is in order there!

When you notified her of this, do you have a record of it? If not, send a quick email to say something like, just following up after our conversation where I brought your attention to the email, can you confirm that this is being looked into as it is the second time it has happened.
Just be polite, but then you have written evidence they were informed.

Do people really think every breach has to be reported to the ICO? Do you have any idea how many years it would take the ICO to investigate EVERY breach that's ever occurred?!