To be annoyed that recruiter CCed all candidates going to job interview

[Ygritte84]

Two emails were sent with the complete list of candidates in CC, with names and email addresses. Total breach of confidentiality, right?

I work in a small industry and people know each other. I will cross some of these people in my job.

Feeling very annoyed and also starting to doubt myself seeing the competition!

@name3958

Do people really think every breach has to be reported to the ICO? Do you have any idea how many years it would take the ICO to investigate EVERY breach that's ever occurred?!

Of course not every breach needs to be reported. That's what the companies internal GDPR investigation is there to determine.

So where's the companies investigation documentation ? (Hint: Just saying "It's not serious", isn't good enough).

Of course the real problem is people learning of data breaches. If they didn't know about them, they wouldn't have to worry. (I am Geoffrey Cox, and you can claim your five pounds )

@DGRossetti indeed, but people are advising it'll go to the ICO when it is very unlikely that it needs to, and worst still telling her to report to the ICO before she's even exhausted the complaints process for the company.

The ICO wouldn't fine a company for an accidental email cc', they would just send them an email of their GDPR guidance and tell them they shouldn't do it again.

It would be good to let the recruiter know so that they can follow their in-house GDPR guidance, which will probably be just to report it to their data officer.

@name3958

Do people really think every breach has to be reported to the ICO? Do you have any idea how many years it would take the ICO to investigate EVERY breach that's ever occurred?!

No, of course not, but they'll have a register of complaints and should investigate if a particular organisation has lots of complaints made against it as it is a clear sign of bad practice.

I'd let the company know - they might want to changer recruitment firms.

No, of course not, but they'll have a register of complaints and should investigate if a particular organisation has lots of complaints made against it as it is a clear sign of bad practice.

Yes but you don't go to the ICO until you've exhausted the company's complaints procedure, the ICO will not engage with you if all you can evidence is one conversation on the matter.

There is a theme to this and the threads about why no-one ever hears back from recruiters.

Too much is being left to individuals to do by hand.

There are hundreds of software systems that can be used for recruitment - there is no reason and no excuse for anyone in 2021 to be typing or even copy and pasting e-mail addresses into an email.

@IWentAwayIStayedAway

I would hit REPLY ALL and wish everyone good luck! Major feck up

😂😂😂😂👍

Yes but you don't go to the ICO until you've exhausted the company's complaints procedure, the ICO will not engage with you if all you can evidence is one conversation on the matter.

Not true. A data breach is nothing like a complaint. Anyone can report a breach to the ICO irrespective of the dealings they’ve had with the organisation who caused it.

And in terms of the ICO’s response, it will really be determined by how negatively the OP (and others) have been impacted by the incident and potentially whether the company has ever been reported for similar breaches in the past, which would indicate a more systemic issue with their policies/practices/staff training around data protection.

Don’t presume they just because it’s one “small” incident this time that the regulator won’t be interested. Companies have been fined for very similar transgressions, where the impact on data subjects had been significant enough.

When you notified her of this, do you have a record of it? If not, send a quick email to say something like, just following up after our conversation where I brought your attention to the email, can you confirm that this is being looked into as it is the second time it has happened.
Just be polite, but then you have written evidence they were informed.

That’s intelligent and professional advice from Bookworm20.

So many forms of communication these days are designed not to leave a digital trail. It’s disastrous for businesses (and personally, but that’s another thread).

@ShagMeRiggins

When you notified her of this, do you have a record of it? If not, send a quick email to say something like, just following up after our conversation where I brought your attention to the email, can you confirm that this is being looked into as it is the second time it has happened. Just be polite, but then you have written evidence they were informed.

That’s intelligent and professional advice from Bookworm20.

So many forms of communication these days are designed not to leave a digital trail. It’s disastrous for businesses (and personally, but that’s another thread).

I had also mentioned putting it in writing to the individual and/ or the data protection officer of the company if the recruiter works in a company.

I work in recruitment in a large company.

Report to the ICO. They will investigate with the agency and work with them to improve their processes.

@GiltEdges the ICO will not listen to the OP until she has exhausted the complaints procedure, whilst it is a breach it is does not meet the ICO threshold so it is extremely unlikely they will get involved at this stage, they will if the subject is not happy with how it's been handled but she is not at that stage yet. She needs to formally complain, in writing.

The recruiter has no idea if anyone else has noticed! There’s a good chance other candidates will be complaining when they have their interviews!
I would def bring this up op.

Urgh it's done now and it's really not a massive deal..complaining or getting someone in trouble seems a bit petty.

It's happened a few times where we've received emails that Cc'd instead of BCC'd people in. Some absolute knob replied all once saying "I hope you have reported this to ICO"

A. It's was a fucking boring email about some small change in the company, a few companies basically just saw eachothers email addresses (who cares really?)
B. By replying all, he'd basically done the same thing so needed to report himself
C. The ICO would not give a fuck