News

Article One: Secret Identities Should be Kept That Way By expressHR As a sector with people at its core, the recruitment industry is built on the foundations of personal data. Millions of names, addresses, ages, and personal statistics are circulated in the recruitment space every day as part of normal operations, with little thought into the implications of this.

Ironically, with growing legislation governing employment, the amount of personal information recruiters are required to hold is increasing. An applicant’s identity needs to be verified and citizenship or immigration status proven with a passport, identity card or appropriate visa documentation. For some jobs involving working with vulnerable sections of the community the results of criminal records checks are also stored. In some cases copies of key documents such as passports are even held as scanned images.

With nothing but a small number of personal details it is possible for someone with the wrong motivation to do any number of illegal or inappropriate things, from opening false bank accounts to maliciously releasing private information.

Data protection is generally not seen as the most interesting of subjects and is something that is assumed to be covered by the Data Protection Act. It is true that for organisations that abide by the law it does stop personal details being distributed and reused for unrelated purposes. However, it does not ensure the IT systems used to store this data are necessarily safe from individuals wishing to maliciously gain access to personal data. In fact the final of the ‘8 commandments’ set out by the DPA does hold the organisation possessing the data responsible for exactly this, stating: “Entities holding personal information are required to have adequate security measures in place. Those include technical measures and organisational measures.” This however is unfortunately not always true and some IT systems often leave personal data woefully exposed.

In fact, according to recent statistics from the Information Commissioners Office, around half of all recruitment business in the UK are yet to take the appropriate steps and register as data controllers. Anyone who electronically holds personal data is legally obliged to register in this way and the fact that so many have yet to do so shows a serious lack of knowledge or willingness.

With the majority of personal data stored electronically there are two specific threats – externally from those with malicious intent and internally as a result of poor security practice and human error. The security of these systems is often under-estimated, not well understood and on the whole the buck stops with an over burdened IT department. Foolishly many in the recruitment space just assume that IT security is a given and have little knowledge on how, or even who, to challenge to ask specific questions on what security measures are deployed.

Malicious attacks on IT systems storing personal data are a major worry and a risk that recruitment companies must face. This means making sure any system handling personal data is as secure as possible by using robust technology such as encryption technologies, ensuring traffic between client and user systems is protected and employing any number of security measures which can be used to deny malicious code access to the company network.

One of the best ways of ensuring that IT systems are secure is by using an independent 3rd party audit. Companies like NTA Monitor (www.nta-monitor.com) will audit security systems to ensure they are at the high level required to handle this vast amount of precious data. Audit companies can ensure that IT systems are compliant with exacting standards such as the Payment Card Industry Data Security Standards. These standards make sure that systems storing personal data are as safe as possible from any IT security breach – more than meeting the guidelines set out by the DPA.

Aside from protecting against malicious breaches of the IT systems themselves the first layer of any IT security is to ensure that access controls are as rigorous as possible. This means ensuring that anyone wishing to access this kind of personal data must first be verified by username and password. It may sound simple but effective password control is the best way of protecting against the human risk to personal data. The most up-to-date firewalls and intrusion detection systems in the world become completely useless if passwords are written down, are too simplistic (the most common password is actually the word password, followed by 123456, then qwerty) or simply given out to all and sundry. This is the equivalent of leaving your housekey under the doormat and telling everyone down the pub where it is.

Companies in the recruitment sector have to ensure good password policy is in place and enforced to minimise risk. Simple things like educating people against sharing passwords, ensuring passwords are changed at regular intervals, using alphanumeric passwords and blocking users after a set number of failed attempts are all good solutions to this password problem.

In addition to this, the mobile computing revolution has added another threat to the safety of personal data. With so many companies nowadays relying on PDAs, laptops and Blackberries this provides an extra threat, if they are lost or stolen. It is therefore imperative that these devices are protected. On-device security such as biometrics, password protection or USB keys can help stop anyone gaining access. In addition IT Departments can also issue a ‘kill pill’ to render missing devices useless.

By taking simple steps such as these, companies in the recruitment sector can make sure they are safeguarding their most valuable asset, as well as fully complying with the Data Protection Act. After all, if the sector is built entirely on people, then it is important to make sure that the trust of these people is maintained for the good of the recruitment market as a whole.

Paul Raine is Operations Director at expressHR.expressHR’s products enable large organisations to manage multiple recruitment providers through a single interface and set of business processes, massively streamlining the complex and administrative task of managing large volumes of temporary staff. It provides a complete end-to-end solution from creating a vacancy, through fulfillment and on-line timesheet entry, to billing and reporting.