As we hurtle through the technological era, we are inundated with an overabundance of data: it has never been easier to collect and capture vast amounts of information. I was speaking to someone the other day who said that they kept everything- there was no limit to the amount of data that they could store because they kept it all electronically. They had data going back many, many years. But there are a couple of problems with this. A few years ago a business in Canberra went through a financial audit; non-conformances were raised, and because the data went back over 10 years, so too did the penalties. Another problem is the potential to breach the Privacy Act: in relation to personal information data should not be held when there is no further use for it. Until now the Privacy Act has not really been of great concern, but now it can be a serious issue for recruitment agencies, and indeed any business which conducts its own recruitment. Quite often we think of records as being all the same, stored in the same way, and all used for the same basis purpose - that is, running a business and providing a service. In reality there are many different types of records.
Different types of records
Some records are evidence of an event or similar. They may be generated or collected by the business in the course of undertaking its business. Some records are personal information on individuals. This can be information or collected from the individual or others, or from the internet or other sources. It also includes information that may be generated by the business as part of undertaking business. Some of these records can be valid for long periods of time, such as financial records, and others only for short periods of time, such as annual registration details. The records also vary by the level of sensitivity: some are highly sensitive such as health information; some records taken on their own are nowhere near as sensitive, such as name and contact details; yet these same records taken together with other records can provide information which has potentially serious adverse consequences if misused.
Too many records
I am often astonished at the amount of personal information collected and stored on individuals. Taken together, this information is sufficient to meet requirements for obtaining a bank loan, or for buying a house, or for taking out a lease or other contract. All too often, all this information is readily accessible to all staff in an organisation, whether they need it to perform their job or not. Of course it is important to trust the people who work with you, but it is not enough to assume that all your staff understand privacy and will never breach a privacy principle, even by mistake. There are a number of things your business should do. The first is to review what records and personal information is held, and check that your procedures ensure the proper collection, usage and security of data. Secondly, train your staff so they understand how to manage records; and finally, cleanse and securely archive or destroy the data that is no longer required.
Case Study: Data Cleansing
Late last year we conducted a data cleansing project for an agency in Melbourne. Though the business had responsibly collected data (for police checks, references, drivers' licences, passports, medical registrations, etc.), but they still held records from candidates who had ceased working with the agency many years ago. The data was poorly stored - over 10 thousand paper records were stored in plastic boxes underneath desks, in overflowing compactuses and spare rooms. It would have been incredibly easy for files to be forgotten, lost or stolen. Firstly we looked at the type of data and the purpose for which is was collected in the first place, and then retained. Mostly of the data for inactive candidates could be deleted, but all the data needed to be reviewed as some data such as financial records and complaints, needed to be retained. We also needed to work out a way of storing the data to be retained so that it could be readily cleansed at some future time. Then we worked through the records and either saved archived or deleted records as appropriate. The result was that the business recovered a significant amount of space - both in the office and in terms of disk space, as well as ensuring the records are now well managed and secured. Also, the candidats could be confident that the privacy of their personal information would be respected and the data deleted when it was no longer required.
In designing the data cleansing plan we considered these principles: 1. You do not "own" the candidate: you record personal data with the consent of the individual 2. Personal data may be collected for a particular purpose, but this purpose must be expressly and clearly defined. 3. Personal data should be collected based on necessity, not convenience. 4. Data that has been retained must be maintained and updated as necessary. 5. You are responsible for all uses of data, including use by those not under your direct control. 6. Privacy management systems, including policies, procedures, and practices should be regularly monitored for compliance.
This was the approach we followed. 1. Identify and distinguish between different categories of candidates, for example: active, inactive, will never work with us, etcetera. 2. Analyse the personal information that has been collected and classify into various categories, for example:
Information that is a record of business activities e.g. financial and contact records.
Information that is highly sensitive e.g. police checks.
Information that is specific e.g. CVs, references.
Information that is general e.g. contact details and skills, qualifications.
3. In relation to the business records (example 1, above), identify relevant legislation that may set retention periods 4. In relation to non-business records:
- Set retention periods which are appropriate for the different candidate categories
- Ensure the retention periods are consistent with the privacy notice and policy
- Develop processes to keep the retained data current
- If you have any questions about Privacy requirements or about developing a suitable approach to privacy management or data cleansing, please contact us.