When you’re in human resources, sourcing a report from background check companies is just one element of a lot of personal data you’ll end up collecting on a new member of staff. Ensuring these are stored correctly and GDPR compliant will be an important part of what you do.
But how would you have reacted to this scenario, reported in the media this week by outlet’s such as the BBC, in which a researcher duped one in four companies to reveal information to a woman’s partner? The researcher, who is an expert in privacy and security, wanted to test how a number of US and UK firms reacted to a ‘right of access’ data request, an EU privacy law, made on behalf of another person.
University of Oxford-based researcher James Pavur made the requests for information on his actual partner, and through contacting a number of companies, was able to uncover an interesting range of information.
He explained that large companies, especially those in tech, managed to pass the test easily, as they had the staff and expert knowledge to handle such requests. Small businesses, he says, largely did not respond to the request, which while not necessarily compliant, also meant that sensitive data was not revealed.
However, it was the middle-sized businesses that knew about GDPR but did not have the expertise to handle requests, which ultimately failed the most.
He also revealed that he was able to uncover information such as the number of stays his partner had made at a hotel chain, the journeys taken by a train company, as well as the likes of her high school grades, mother’s maiden name and results of a criminal background check, all of which could have been used in a damaging way to the person in question.
Only trust an outsourced screening provider who operates to the highest standards; ISO27001, 9001 and with BS10012 (Personal Information Management Systems). Talk to Agenda Screening for a screening service you can trust.