What Is The Difference Between Personal Information and Confidential Information?
Updated: Jul 29, 2019
Excerpt from a catch-up with Lucy Ashenhurst, CEO of craftd.sg and Andre Low
Confidential Data and Personal Data
Confidential information can encompass a whole host of information, not all of which may be personal data.
An easy example of something that is confidential but not personal data is sensitive commercial or financial information that may be subject to contractual confidentiality obligations—e.g. a discounted rate that you have negotiated with a supplier for certain items, which they may not want to be common knowledge.
Personal data, on the other hand, is information that relates to natural persons who may be identified directly from the information, or indirectly from the information in combination with other information. This ranges from blindingly obvious examples like a passport number or name, to less overtly personal data like IP addresses or location data, which someone with the appropriate expertise would be able to use to identify an individual.
Crucially for recruiters and HR professionals, much of the data you may collect fall under the umbrella of “special category” data which includes race, ethnicity, religion, health, political affiliation, sexual orientation, and membership of trade unions. This means you should be extra careful to only ever use the data for the purposes it was collected for, never share the data unnecessarily, seek explicit consent for the collection to use wherever possible (with the data subject's express knowledge as to what purpose the data is being collected for). Last but not least, ensure that you delete the data at the earliest opportunity once its purpose has been served.
The Top 5 Things That HR Managers Should Be Aware Of
Every new candidate should be made aware of your agency’s intentions and purpose for storing their data. Allow them to understand and agree to your agency's data guidelines at the point of candidate registration - or at the point of application from your website into your database.
You either need candidate consent or be able to demonstrate a legitimate interest before you can collect, store and use their data or pass this information to a third party (your clients).
You should always maintain a registry, and keep auditable proof, of all consents obtained from a data subject, including consents to use and sharing of data your candidates’ agreement to share their details with a third party.
Data minimisation is key. Ask only for the personal data that you need. You should not process irrelevant data (e.g. religious information) for recruiting purposes.
Any candidate can request to be forgotten or removed. Personal data should be deleted once the legitimate purpose for which it was collected is fulfilled.