News

Can recruiters continue sharing data with their umbrella providers?


8 minutes to read
Email us

As an umbrella company provider, we rely on recruitment agencies to share their candidates’ data with us and vice versa. It’s all part of how we work together to support the contractors and each other.

If you’re a recruiter, you might be wondering if it’s okay to keep sharing data with your umbrella providers post-May 25th. The answer is yes! But it’s important to fully understand what you’re doing, why you’re doing it and to comply with all the relevant requirements of the GDPR while you do so.

Under the GDPR, companies must have a valid lawful basis to process personal data. There are six lawful bases that can be used, and businesses choose the most appropriate one for each situation. If no lawful basis applies, the processing cannot take place. The ICO explains this in more detail.

Remember, the term ‘processing’ covers anything that a business does with an individual’s data. Broadly, it means collecting, using, disclosing, retaining or disposing of their personal data. So it definitely includes sharing information with a third party, including an umbrella company.

Below we cover some common areas of data sharing from a recruiter to an umbrella company and explain our thoughts on the most appropriate lawful basis that you could rely on in each instance.

Contact details for new candidates

When you meet a contractor who wants or needs to find an umbrella company, you might help them out by asking a trusted provider to get in touch with them. But hang on – is it okay to pass on their contact details? It is if you’ve identified the most appropriate lawful basis for doing so. Based on our own understanding of the law, we suggest you find the most suitable from this list:

  • Contract: you may consider that you have a contractual obligation to the candidate to get them set up for payroll as quickly as possible, and this is the only reasonable way of going about it. Remember, a contract doesn’t need to be in writing – it’s the promise you made about the service you’d provide to them. This lawful basis is most likely to apply to new candidates joining your agency, who don’t yet have payroll arrangements in place.
  • Legitimate interests: when you rely on legitimate interests, you take on extra responsibility for considering and protecting your candidates’ rights. Ask yourself – do you believe it’s in the interests of your candidate and/or your business to refer them to an umbrella provider? Is sharing the data necessary for achieving these interests? And most importantly – are these interests outweighed by the candidates’ interests, rights and freedoms? Your answer to the last question might depend on how much you trust the provider and what you know about how they’ll use the data (hint: check their privacy policy!). To make sure you’ve considered all of these questions fully, the ICO say that you must do a legitimate interests assessment (LIA) and keep it on record. We have a template you can use for this: download our LIA template
  • Consent: this means giving the individual a very clear and specific statement explaining which details you’re going to share and the names of the provider(s) you’re going to share them with. The candidate would have to take a positive action to confirm that they give you permission to do this – and you need to keep a record of it. This should be done separately from any other terms and conditions you’ve asked them to sign and shouldn’t be a precondition of using your service. Consent must be given freely and you must tell the candidate that they have the right to withdraw their consent if they change their mind. If you don’t feel that either contract or legitimate interests applies, consent is your only option.

At Key, we only accept a contractor’s details from you if they’ve specifically asked you to ask us to get in touch with them. We contact them only to respond to their enquiry and send the requested information. If they decide not to join or change their mind about speaking to us, we close the enquiry, delete their data and don’t ever send unsolicited marketing. This is to ensure the most positive experience for the candidate and to comply with the GDPR and Privacy and Electronic Communications Regulations.

New: we’ve updated our referral form to reinforce the process that candidates go through when they’re introduced to us by their recruiter and double check that you’ve spoken to them before passing their details on.

Passports and visas

All employers, including umbrella companies, have a responsibility to make sure that their employees are allowed to work in the UK. As part of these checks, an umbrella provider might ask you to share your file copy of a candidates’ ID and right-to-work documents. Can you go ahead and do it? Yes, if you believe that one of these lawful bases apply:

  • Third-party consent: ask your umbrella provider if they have obtained the candidate’s consent for you to pass a copy of their ID and visa to them. If they can demonstrate to you that they have – and you’re happy that the standard of consent is good enough to satisfy the GDPR – you can rely on it and feel comfortable sending the documents requested. Keep in mind that when the candidate gave consent, your organisation must have been specifically named. It’s not enough to use general descriptions like ‘recruitment agencies’. Third-party consent is the simplest approach from your perspective, if your providers are on board.
  • Legitimate interests: as always, when you rely on legitimate interests, you take on extra responsibility for considering and protecting your candidates’ rights. Ask yourself – do you believe it’s in the interests of your candidate and/or your business to send their documents to their potential employer? Is sharing the data necessary for achieving these interests? And most importantly – are these interests outweighed by the candidates’ interests, rights and freedoms? Consider factors such as whether the umbrella has asked the candidate for permission to request the documents from you, the strength of your relationship with them and whether your privacy policy explains that you might share data in this way. To make sure you’ve considered all of these questions fully, the ICO say that you should do a legitimate interests assessment (LIA) and keep it on record. We have a template you can use for this! Download our LIA template

At Key, we always ask the candidate for permission if we need to request a copy of their ID and right-to-work documents from you. We do this only at the point when they’ve made a decision to join Key Portfolio. From May 2018, where possible this will be GDPR-standard consent and we’ll confirm this to you any time that we request documents from you.

If you decide to send ID or right-to-work documents when you first introduce us to a candidate, we will check that you’ve got their permission to do so and we would then rely on legitimate interests for collecting and storing it prior to employment.

Payroll instructions

If your agency normally sends instructions to the umbrella telling them who to pay, how much and what for, this is a critical step in making sure your contractors are paid correctly and on time. We think there are a few lawful bases you could choose between for this data sharing:

  • Legitimate interests: once again, when you rely on legitimate interests, you take on extra responsibility for considering and protecting your candidates’ rights. Ask yourself – do you believe it’s in the interests of your candidate and/or your business to send payroll instructions to their employer so that they can get paid for the work they’ve completed? Is sharing the data necessary for achieving these interests? And most importantly – are these interests outweighed by the candidates’ interests, rights and freedoms? Since getting paid is so important and the candidate made the choice to join the umbrella company, it’s likely you’ll find that legitimate interests applies. However, to make sure you’ve considered all of the questions fully, the ICO say that you should do a legitimate interests assessment (LIA) and keep it on record. We have a template you can use for this! Download our LIA template
  • Contract: you may consider that you have a contractual obligation to the candidate to cooperate with their umbrella company in order to get them paid, and sharing payroll instructions is the only reasonable way of going about it. Remember, a contract doesn’t need to be in writing – it’s the promise you made about the service you’d provide to them.

You can learn more about how Key processes the data that you share with us in our privacy policy.

Please remember, all of this is just our opinion and it’s down to you to determine the most appropriate lawful basis for your own business. We recommend the ICO’s handy interactive tool, which helps you decide. Throughout this article we’ve summarised each lawful basis and outlined your responsibilities, but we suggest reading the ICO’s description of each lawful basis for official guidance.

We’re interested to hear your thoughts and what decisions you make around data-sharing with your umbrella providers. It could be useful to share ideas and challenges, so please do drop me an email to gary.smith@key.co.com if you want to arrange a chat.