Legitimate interests.
TABLE OF CONTENTS
Talent Point have undertaken an assessment to establish the grounds of legitimate interest as lawful basis for the processing of personal data as covered by Article 6(1)(f) of the General Data Protection Regulation. This document contains the following sections supporting this argument:
- Identifying the Legitimate Interest
- The Necessity Test
- The Balancing Test
The legitimate interests argument applies to historic data where Talent Point has not – due to differing legal conditions – obtained formal consent to process. Individuals are regularly contacted to update their records and gain consent. Talent Point, in line with their privacy policy, are intending to move to holding all records by consent.
For more information on what data Talent Point collect and hold, and for what purpose, please refer to our privacy policy but in summary the only personal data Talent Point hold and process is:
Held
- An Individual’s full name
- An Individual’s contact details
- An individual’s contact preferences
Processed
- An individual’s full name
- An individual’s contact details
- Proof of an Individual’s identity as a passport and/or visa
1. Identifying a Legitimate Interest
What is the purpose of the processing operation?
Talent Point provide Hiring Communication Services to both Individuals and Businesses.
An Individual is a person whose career is focused (or will be focused) on assisting businesses with the support, creation and management of technology.
A Business is any organisation that employs or contracts with Individuals and that has assigned Talent Point to provide Hiring Communication Services.
For Businesses, Hiring Communication spans:
Provision of Market Data, Design of Vacancies, Introductions to Individuals and provision of technology services. These are chargeable services billed as: a day rate, a monthly retainer, a single design fee, a margin for the management of contract resources or a single success fee. Critically, Talent Point take ownership of all Technology Hiring for Businesses so are typically the only gateway to Individuals wishing to work for them in this department.
For Individuals Hiring Communication is provided free of charge and spans:
The management of a long-term career in the technology space including, but not limited to, keeping in regular contact to ensure service relevance, training and guidance on the process of securing employment, designing job vacancies with Businesses that specifically match their career goals and history, introducing to relevant Businesses who are potential future employers, and managing the process of invoicing for services provided by an engaged Individual. Critically, Talent Point design the positions Businesses hire for and are typically the only route to working for them or knowing about opportunities for employment with them.
Is the processing necessary to meet one or more specific organisational objectives?
Processing the data is critical to wide range of Talent Point's organisational objectives.
- Making introductions between Business and Individuals requires contact details for both parties
- Legal obligations under the Employment Agency Regulations require Talent Point to prove the identity and Right to Work of any Individual a Business chooses to appoint via our introduction
- Managing the careers of Individuals over time and giving them access to unique opportunities we create on their behalf means being able to contact them.
- Due to the infrequency with which Individuals move position and the unpredictability of occasions on which this might happen, keeping in contact is essential to helping them find the right position at the right time
- Designing vacancies for Individuals requires knowledge of their peers.
Taken in isolation there are activities Talent Point must perform to remain a profitable, going concern and meet legal and regulatory obligations. In addition, holding and processing data is fundamental to Talent Point’s reputation as a source of expert knowledge regarding typical employment patterns, department structures, salary levels, role types and applicant selection methods in the technology space. Maintaining this reputation is critical to Businesses continue to engage Hiring Communications services and funding the ability of these services to Individuals.
Is the processing necessary to meet one or more specific objectives of any Third Party?
Processing the data is critical to the objectives of both Businesses and Individuals:
- Businesses cannot achieve their technology objectives without the right team members
- Businesses need to screen potential members of staff by telephone
- Businesses need to send contracts and communicate with potential new hires
- Businesses need to be informed of the employment market within which they wish to make a hire if they are to trust Talent Point to create that vacancy
- Businesses require legal proof an Individual has the right to work for them, information Talent Point are legally obligated to provide
- Individuals aim to increase their earning potential and quality of life through the careful management of their career.
- To design vacancies on behalf of Individuals, Talent Point must be able to identify and contact them
- To ensure Individuals secure the right position with the right Business, Talent Point must be able to communicate with them and release such details to a relevant Business as allows them to be interviewed for it and employed in it
- To ensure they are on the right career path, Individuals benefit from being made aware of Businesses Talent Point represent and vacancies being designed for them
Does the GDPR, ePrivacy Regulation or other national legislation specifically identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome?
Based on Recital 47 which states ‘a data subject can reasonably expect at the time and in the contact of the collection of the personal data that processing for that purpose may take place’, the Individual, on provision of their data, would reasonably expect their data to be held for a period to be put forward for suitable vacancies. In addition, it is reasonable to expect that personal information will need to be communicated to Third Parties (Businesses) to be considered for a specific job at that company.
2. The Necessity Test
Why is the processing activity important to the Controller?
The provision of Hiring Communication services hinges on having a searchable, contactable data store of technically skilled Individuals that supports:
- The forming of credible opinions and advice for Businesses around who to hire and how to hire them including salary surveys, career progression plans and vacancy design
- The Introduction of relevantly skilled Individuals to those Businesses including the release of phone number, email, home address and passport or visa information to a given Business with the Individual’s consent
- The provision of career guidance to Individuals
- Contacting Individuals at any time over a five-year “career cycle” to inform them of potential opportunities or to create a relevant opportunity for them
- Awareness of which Businesses and vacancies each Individual would have an interest in and be suitable to pursue
Records of career history and aspirations are maintained against an Applicant profile where a name is necessary as an identifier and contact information is required to be able to inform the Individual of opportunities they engaged with Talent Point to make them aware of.
Why is the processing activity important to other parties the data may be disclosed to?
Businesses engage with Talent Point to gain access to a pool of highly-skilled and experienced Individuals in the technology sector and to make informed, well-educated hiring decisions, utilising market information and hiring best practice. Without holding and processing the name, contact details and preferences of Individuals, Talent Point cannot select appropriate Individuals for Businesses or allow them to enter a selection process direct with the Business. Without processing proof of identity of Individuals, Talent Point cannot meet its legal obligations in allowing Businesses to appoint individuals.
Is there another way of achieving the objective?
Across the five stages of data processing we have identified in our Privacy Policy it seems there is no way to avoid maintaining a record of Individuals’ name some form of contact details over the period of five years shown as equal to one “career cycle” or job move.
A very high percentage of the Individuals Talent Point process data on behalf of are featured on the website “Linkedin”. Their names are thus publicly available and Linkedin itself canbe used to identify and, at a cost, contact Individuals. The limitation of this method of processing is that it provides no way of managing contact preferences, consent, or maintaining records of discussions regarding an Individual’s career preferences. Using only publicly available information in the form of online profiles limits TalentPoint’s ability to contact the Applicants when suitable Career progression opportunities arise. We believe using Linkedin as a tool for data processing would negatively impact Hiring Communications services to the extent that Individuals and Businesses would get considerably reduced value.
3. The Balancing Test
Would the individual expect the processing activity to take place?
When an Individual engages with Talent Point, the process of working with them across their career is explained along with the expectation that their personal data will be maintained for five years based on the average job length in the technology sector. At which point a fresh consent is obtained or Individuals can request their details be removed from Talent Point’s database.
Historically our research and review of data processing shows consents have not formally been obtained with completely provable regularity, and formal consent in the form of an email or verbal statement has not been gathered. However, we spoke to over 1000 Individuals who were clear they expected Recruiters to retain their details for the purposes of long-term job searches unless they instructed them to do to do otherwise. Given that Talent Point’s service provides access to positions specifically created for Individuals and is the only route to working for most Businesses, it can be considered to be more value than that of a conventional recruitment agency.
Having spoken to The REC – the regulating body for Recruitment Agencies and Businesses in the UK - they were clear that it has never been a requirement of membership or even part of a good practise charter that permissions should be gained from job seekers for anything but the purpose of releasing their CV and contact details to a potential customer. It is clear pro-active marketing of positions to job seekers is a fundamental aspect of how recruitment agencies work, so no Individual registered by Talent Point should find it unusual that we have retained their details and we offer consistent opportunity for Individuals to withdraw consent
Does the processing add value to a product or service that the individual uses?
Across Talent Point’s history we have maintained groups of Individuals that our teams judge themselves most likely to be able to help find new positions and opportunities for across their career. These “pools” of Individuals are those to which Talent Point can add value to their career over its duration. Critical to increasing the level of value these Individuals receive is ensuring fair volumes of messaging and regular contact that are useful to their particular career situation.
Many Individuals whose data Talent Point hold sit outside these groups. These are Individuals that we have previously engaged with in regard to particular opportunities but do not believe we will be able to add significant value to their future career. This group of Individuals therefore sit outside our definition of Legitimate Interest and after an initial campaign to make contact and assess whether we can now add value for them and gain appropriate consent for processing we will be deleting all data held for these Individuals.
Is the processing likely to negatively impact the individual’s rights?
No. Careful controls are in place at Talent Point regarding the five stages of data processing identified and levels of impact on rights are therefore extremely low. Possible negative impacts are outlined in the Safeguards and Controls section of this document but these have been deemed unlikely to occur. Actions undertaken by Talent Point to reduce the likelihood of negative impacts are also covered in the Safeguards and Controls section.
Is the processing likely to result in unwarranted harm or distress to the individual?
No. The only potential negative impact is irrelevant contact and the frustration this might cause; however Talent Point have safeguards in place to increase the relevance of any passively made contact with Individuals for whom a Legitimate Interest has been established. Possible harm or distress is outlined in the Safeguards and Controls section of this document but these have been deemed unlikely to occur. Actions undertaken by Talent Point to reduce the likelihood of harm or distress are also covered in the Safeguards and Controls section.
Would there be a prejudice to Data Controller if processing does not happen?
Yes, it would significantly impede Talent Point’s ability to function as a business and deliver the Hiring Communication service to Individuals (whom we could not contact with regards to new positions or provide relevant guidance and advice to) and Businesses (for whom we could not introduce Individuals or provide relevant research on the current technology employment market).
Would there be a prejudice to the Third Party if processing does not happen?
Yes, Businesses could not receive details of Individuals nor could they receive advice on employment markets – there would be no purpose to the Hiring Communication service were processing not to occur.
Is the processing in the interests of the individual whose personal data it relates to?
Yes, Individuals would not hear about potential opportunities, Talent Point could not create roles to drive their career forward and Individuals would not be able to enter any selection process with a Business.
Are the legitimate interests of the individual aligned with the party looking to rely on their legitimate interest for the processing?
Yes, each Individual – both historic and current - has engaged with Talent Point to make a positive move in their career. This engagement has been enacted – historically – without formal consent but Talent Point have been unable to discover any legal or best practise guidance that implies Individuals would have been expected to explicitly supply formal consent rather than assume they were doing so. This processing applies only to:
- Holding name and contact details
- Contacting in relation to expressed preferences to discuss career opportunities
Processing that required the release of an Individual’s contact details or proof of identity to a Business would always have been accompanied by the obtaining of specific consent from that Individual so this type of processing does not fall under the legitimate interest.
It is the mutual interests of all parties (individual, Business and Controller) for Talent Point to hold the contact details of Individuals for whom we have identified a specific ability to assist them in growing their careers over time and using this data to form the basis of advising Businesses on the create of roles for such Individuals.
What is the connection between the individual and the organisation?
The Individual has come to the organisation (Talent Point) by actively applying for a role advertised by Talent Point online either directly or via a Third Party (online job board). Alternatively, Talent Point will make contact via public available means (for example, LinkedIn) to find Individuals that fit the requirements of a specific Business. Regardless of the initial connection, all Individuals go through a screening and profiling process that builds the relationship between the individual and the organisation (stage 2 outlined in section 2.2 of this document).
What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?
- Name, contact information (phone or email) and address/postcode are gathered and held.
- The desire to receive communication by email is gathered and held.
- Proof of identity is gathered and held only where a Business seeks to employ an Individual
- It is noted that some Individuals may inadvertently have supplied Talent Point with other data via their CV but this is not data that Talent Point actively seeks to obtain nor will it be processed at any time.
Is there a two-way relationship in place between the organisation and the individual whose personal information is going to be processed? Is so, how close is that relationship?
Registration of an Individual requires at least an hour-long phone call for the purposes of understanding their career, job search and what they wish to gain from the Hiring Communication Services. A second, vacancy specific phone call, will occur for the purposes of screening the Individual for a particular job vacancy.
Talent Point invest time and energy into understanding both an Individual’s abilities and preferences and this information is logged against their personal information. As suitable vacancies that match skills and aspirations open at Businesses, Talent Point contact the Individual to confirm their interest or discuss the formation of a position for them with a given business. If there is an interest the same, vacancy specific call is repeated but in reference to the different vacancy.
Contact, across the process of being registered and being included in the screening process for a vacancy, is both regular and close.
Where an Individual either finds new employment or ceases looking for work, the level and closeness of contact with Talent Point reduces given the Hiring Communication service is not of immediate, short term benefit. At any point, an Individuals circumstances or career preferences may change, meaning the relationship will resume.
Our research has shown that a typical role in technology lasts 5-10 years so we would expect any Individual who had not had contact with Talent Point for five years to fall outside a legitimate interest in processing given that knowledge of their current abilities and wants is likely to be insufficient to provide a useful, beneficial service.
Has the personal information been obtained directly from the individual, or obtained indirectly?
Data is typically provided to Talent Point by an Individual replying to a job advert. In this instance they have consented to the release of their data to us for the purposes of contacting them in regard to the role and assisting them in their career.
In other instances, the Individual will have uploaded their details to a public forum such as LinkedIn or a private forum such as an online job board (for example, Reed, CV-Library) and consented to being contacted by firms able to assist them in finding work.
Other than name and contact details no further data is processed until Talent Point have spoken to the Individual and registered them as someone to whom Hiring Communication services will be provided. Any data obtained at this stage comes from the Individual and any existing data obtained from private or public forums to whom the Individual had given consent to release to Talent Point would be confirmed with the Individual as being held and the purpose thereof.
Is there any imbalance in who holds the power between the organisation and the individual?
No. Consent has historically been implied rather than formally obtained when Talent Point registers an Individual and formally obtained when Talent Point introduce them to a Business. Talent Point have never assumed power to process an Individual’s data without prior consent – either implied or stated – and have always immediately ceased to do so on receipt of request.
Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?
No, Talent Point does not undertake large scale data processing, data mining, profiling, disclosure to a large number of people or publication. The only instance we could see this happening is where an Individual receives an unusually high number of emails about potential positions in which they have no interest. In this instance Talent Point will be inviting them – on the same emails – to opt out of further communication should they wish to.
Is a fair processing notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?
Yes, our process is explained as part of a verbal screening call, reinforced with a privacy policy that links to this assessment and data is only put to Third Parties with consent from the individual.
For historic Individuals registered to participate in the Hiring Communication service and for whom it is believed Talent Point can add significant career value, notification will be send in line with stage 2 of those outlined above – a privacy policy stating that we hold name and contact details for the purposes of assisting them in growing their career by contacting them in regard to specific opportunities.
Can the individual, whose data is being processed, control the processing activity or object to it easily?
Yes, individuals can decide to opt-out of the Hiring Communication service or any element of it by: not going through the registration process, requesting for their record to be deleted at any time, limiting the methods by and timeframe within which Talent Point can contact them, and refusing permission to have their data passed to a Third Party to be considered for a position.
Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?
Talent Point does not maintain any data it does not make full use of and limits the amount of non-publicly available data it provides to Third Parties by thoroughly screening Applicants and releasing data to Businesses only with their explicit consent. This is usually only for three individuals per vacancy so rarely more than 20 Individual’s data will be released to Businesses daily and this is only name and contact details.
No other Third Parties receive data from Talent Point.
From the point of view of data breaches, Talent Point have taken steps to implement cyber security through the firm IntraLAN and have a clear policy on preventing and reporting breaches to limit any impact on Individuals.
Given we hold only name and contact details for the vast majority of Individuals the impact of a breach is relatively low.
Safeguards and Compensating Controls
The below table highlights the efforts undertaken by Talent Point to uphold each of the rights outlined in the General Data Protection Regulation.
Right | Safeguards & Controls |
Right to be informed | Talent Point’s privacy policy for Individuals is displaying on their website. This policy clearly outlines what data is collected, how long the information is retained for, and what the information is used for. At each stage of contact with Talent Point, Individuals are routinely kept informed in regard to any data processed and the consent to do so is sought. |
Right of access | The Talent Point team are trained on how to handle a request for data and the relevant processes are documented. |
Right to rectification | The Talent Point team are trained on how to update data on our systems and the relevant processes are documented. |
Right to erasure | The Talent Point team are trained on how to handle a request for deletion and the relevant processes are documented. |
Right to restrict processing | Individuals need to grant permission for data to be shared with specified Third Parties. All email contact contains opt-out functionality so Individuals can restrict contact at any time. |
Right to data portability | Not applicable under Legitimate Interests as Lawful basis for processing |
Right to object | Talent Point’s CRM system includes Consent Management capability to ensure applicants can modify the methods of communication including opting out of marketing communication. All marketing communication contains an opt out option that updates the preferences in the CRM system. |
Rights in relation to automated decision making and profiling | Talent Point does not undertake automated decision making or profiling. |
Talent Point is proactively identifying and mitigating the possibility of unwarranted harm or distress to individual’s through a risk management process. As this is an ever-evolving operation, please contact us:
Technical safeguards already put in place to minimise the likelihood of a breach leading to unwarranted harm or distress are:
- Increased cyber security tools such as web-site categorisation preventing access to potentially harmful sites that could make data susceptible to hacking and anti-ransomware
- Anti-ransomware software to prevent against ransomware attacks that could hold data hostage and lead to a loss of data control.
- PII data scan to assist in the identification of personal data to ensure the appropriate level of care is taken in managing it.
- Removal of individual administrator rights to prevent the downloading of harmful files or applications by users.
- Encryption so in the event of a breach, the likelihood of harm to the individual is greatly reduced, as the information is protected.
- Folder permissions limiting who within Talent Point has access to data.
- Disabling the use of external removeable devices to control where data can be moved and stored.
- Disabling the ability to move files outside of the remote access environment to put a boundary on where data can be located.
- Cybersecurity training for entire team to guard against providing opportunities for hackers to gain access to the database.
Policy decisions made to minimise the likelihood of unwarranted harm or distress are:
- Talent Point do not collect or hold Special Category data such as ethnicity or sexual orientation
- Talent Point collect data in a staged, need to know manner to minimise the quantity of data collected and held
Reaching a Decision and Documenting the Outcome
Both the individuals whose data is being processed and Talent Point have a mutually beneficial interest in Talent Point holding the information in question. The Individual benefits from:
- Access to positions at highly desirable technology employers which Talent Point are the only gateway to employment with.
- Discussions and guidance regarding the direction of their careers and what professional goals they wish to accomplish.
- CV and interview coaching enabling them to present their skills and experiences in the most appealing format for each role.
- Contact from Talent Point when roles suitable to their skills and experience are identified.
- Passive access to positions. Most Individuals are not engaged in active job searches but research shows they are typically open to opportunities regardless of this. Passive contact from Talent Point allows them to remain exposed to a small number of relevant positions with Businesses.
Talent Point benefits from:
- Being able to use a broad pool of Market Information to inform the hiring decisions taken by Businesses and thus increase the number of suitable, clearly-documented vacancies that exist for Individuals.
- Access to of high quality, carefully vetted Individuals to that are engaged in active and passive job searches and are likely to prove suitable as employees or service providers for Businesses.
Based on the alignment of interests between Individuals and Talent Point and factoring in the efforts on Talent Point’s part to minimise and prevent harm or any negative impact, it can be concluded there is a legitimate interest for certain Individuals Talent Point has historically registered as job seekers.