IT contractor guide to data protection – part 2
Now that you know your key data protection responsibilities when handling client data, it is only fair to explore your own rights as an IT contractor when others come to demanding, handling and sharing your personal information, writes Olivia Whitcroft, solicitor and principal at information law specialist OBEP.
Where do you stand when agents request your CV and personal details for forwarding on to others and, similarly, what’s the legal position when a client or agent insists on a copy of your passport? So far so in this series, we spelt out your potential responsibilities as an IT contractor under data protection laws. This article considers your rights in relation to the use of your personal data by other parties, such as your client, agent or umbrella company.
What are your rights?
Your rights in relation to the use of your personal data include:
- The right to be informed who is using your personal details; what details are being used, why they are being used and to whom they may be disclosed.
- The right to access a copy of the personal data being held about you. This means that you can make a request in writing to find out what records about you are held by your client, agent or umbrella company, and to obtain a copy. A fee of £10 may be charged and the other party has 40 days to provide the information.
- The right to require a party to stop using your personal data in such a way that is causing you unwarranted damage or distress. For example, if your name was being held on an inappropriate “blacklist” of people not to engage on IT projects.
What happens if the other party does not uphold your rights?
If a party does not uphold your rights, or otherwise misuses your data in breach of data protection requirements (for example, unfairly discloses your data to someone else), you have a number of options:
- Make a complaint to the regulatory authority (the Information Commissioner’s Office, “ICO”). The ICO will investigate the complaint and can require the relevant party to take steps to comply with data protection laws and uphold your rights.
- Apply to the court to enforce your rights.
- Seek compensation (through the courts) for damage suffered as a result of the breach, for example if you suffer direct financial loss from your details being unfairly disclosed.
Common concerns for IT contractors
- Should agents forward on your details to potential clients without asking you?
An agent should not pass on your details to clients or any other party without making you aware of the disclosure (except in very limited circumstances, e.g. a criminal investigation). In general, they should also obtain your permission to such disclosure.
To help ensure your details are used only to the extent you want, you should look to make your expectations clear to your agent when you sign up with them. For example, you may want your permission sought before any details are disclosed to anyone, or you may want to specify categories of potential clients to whom you are happy for certain details to be passed without contacting you first.
You should also read any terms or notices provided to you by your agency, which may contain information on how they use your details and when they may disclose them. The agents may be able to justify a disclosure without your specific consent in some circumstances - for example if it is required for tax purposes or to fulfil your contract for a particular job.
- Is your client/agent/umbrella company permitted to demand your passport, national insurance number or other private details you would rather not share?
Your client or agent should inform you why they need information they are requesting. If your client or agent asks for certain information and you are not sure why it is relevant or needed for the purposes of your work, you can question it.
The purpose of collecting information may not always seem directly relevant to the services you are performing (in the same way as, e.g. your name, contact details, bank details for payment etc.). Clients and agents are subject to obligations under other laws which may require them to hold certain information about you. For example, immigration laws require employers to retain evidence that employees have the right to work in the UK (although the rules are not the same for the self-employed) and this may be satisfied through holding a copy of employees’ passports. Tax requirements may necessitate the collection of national insurance (“NI”) number. However, there are often alternatives to specific documents which could be considered (e.g. NI number and a birth certificate may suffice instead of a passport). The precise information required and any potential alternatives need to be assessed in the circumstances. Remember that your client/umbrella/agent should let you know why specific details are needed, so you will also have the opportunity to consider whether it is relevant and justified in the context.
In addition, your client or agent will have responsibilities to keep any information they hold about you secure from accidental disclosure or misuse (see the first article in this series for more details), and only to use it for the relevant purposes. This gives you some protection when disclosing your data and there are remedies available to you (see the earlier section) if it is misused.
Editor’s Note: This is the final article in a 2-part CUK guide for contractors, which provides a general overview of data protection issues. The guidance from OBEP in this article, and in part one, should not be relied upon as legal advice, particularly as it is provided without the context of any specific circumstances.