 |
| Match Me A Job directors Ifran and Tahir |
One thing my friends and family know for certain is that when they have issues with spam, data breaches or dodgy looking emails, they can always come to me for advice.
In some ways it's like being that member of the family who can "fix laptops" - something I've worked hard to disassociate myself from over the years. However when I get spam myself I'm often a little puzzled, having taken numerous steps to avoid subscribing, being implicitly opt-ed in to or otherwise engaging with spammers.
This particular case involves my use of Jobsite.co.uk - an online jobs board who seem to have struggled in the past with data protection (in comparison to platforms like Monster). I added my details as a contractor looking for work and regularly poke through the jobs listings for suitable contracts.
What I can reasonably expect from this is - and according the general terms and conditions of such boards - that recruiters advertising live roles might grab my details and notify me of roles they have. They might store my details so that if that role doesn't suit a future role they might have will. That's all above board as far as I'm concerned.
This is important - these roles are live roles offered by the agencies on behalf of organisations. The distinction is that a jobs board provides the interface between candidate and agency (or directly from hiring organisations).
The standard (happy path) use of jobs boards looks like something like this:
 |
| Normal jobs board process - Click to enlarge |
The Washing Machine
Match Me A Job however - and apparently the directors' other companies - do not fit into this paradigm. They scrape candidates details from Jobsite.co.uk and then absorb them into their "client" database. This may possibly include the entire set of organisations related to the MMAJ directors. MMAJ are not yet approaching the same league as other idiots such as My Job Matcher - but they appear to be trying to make a quick buck in similar ways.
Interesting business model: Instead of marketing, getting exposure of your brand and working at improving the corporate identity through direct engagement... they're essentially scraping Jobsite's candidate database and using it to create a new jobs board / platform as a competitor. Easier to get private equity partners to buy your company with a much bigger candidate database...
Jobsite seemingly take little interest when companies like MMAJ and MJM steal their candidate DB are reported to them. Normally they tell me that "they have no control over what the recruiters might do with your data", apparently unconcerned about someone creating a competitor to them from their own data. Monster, however, take a much dimmer view and have sanctioned people in the past for the same. As do ICO.
Back to MMAJ.
They then use other jobs platforms - like jobg8.com - to mesh the candidate keywords with the jobs on those platforms. Any results are then sent to the candidate. Note: These are not live roles offered by MMAJ or jobg8.com - they are offered by other recruitment agencies, and I'm not convinced that some of the agencies know their job ads are on jobg8.com a lot of the time. MMAJ don't actually have live roles nor are they allowed to do this given the specific consent provided when I subscribed to Jobsite.co.uk.
The diagram below shows how the flow of actual consent (c.f. data protection and marketing consent from a data subject - from people like us) in this situation:
 |
| The reality - everything outside of the primary Jobsite.co.uk platform in this case is unlawful |
In fact, when I sent various requests and notices to them via email I selected around 10 recipients plus their info@ and Irfan's email address - All but the info@ and Irfan's address returned "Recipient unknown" messages.
One might have expected that these unsolicited messages would actually be useful had all the roles actually been live - in fact all of them were expired by the time the links were sent. An example below shows a totally unrelated job role (I'm a Solutions / Enterprise / Business / Data Architect working mostly in the financial industry), from an agency who I've actually worked with in the past.
Url shows Jobg8.com and the mailshot shows MMAJ's logo. Link clicked within 10 minutes of receiving the email.
 |
| Example "job" link from MMAJ gets you something like this - Click to enlarge |
By this time though, your name, address, DoB, entire employment history and possibly other details (depending what you decide to share on your resume) are now in the hands of a string of organisations monetising said data. In fact if were being more cynical I might suggest that this is one of many data laundry enterprises, churning out data to be monetised.
When I was caught in this particular machine cycle I received over 100 emails in the space of a few weeks, all for roles that were almost completely unrelated and all unavailable.
After being the recipient of attempts to breach systems and data stores over the years I'm more inquisitive about emails from strangers that seem to know a lot about me.
Data Protection
MMAJ essentially refused to answer my SAR - the only time they actually attempted to fulfil it was after I lodged a case in the small claims court. That lack of response was a breach of the requirements of a DPA section 7 request / notice.
PECR paragraph 22 requires that an entity acquiring personal data for the purposes of direct email marketing must first acquire the explicit consent of the subject; prior to the sending of any unsolicited marketing messages (which a job alert is). Because I subscribed to a specific jobs board with the expectation to receive messages from recruiters about their own live vacancies, no consent was in place for MMAJ.
Even the DPA requires explicit consent to acquire, store and process personal data (many sections in the Act to refer to) and MMAJ failed to acquire this consent for the purposes they actually enacted.
The regulator, ICO, also enforces non-compliance with registration as a data controller - two of the companies operated by the MMAJ directors are registered (ZA110541, ZA110536) but not MMAJ itself. One of my companies is a registered DC because of the personal data that is sometimes acquired during the course of investigation - I know from experience that regular information and update mail shots are available directly from ICO, and you have an option to sign up when you first register as a controller.
A company who routinely scrapes, stores and shares personal data should certainly be registered. MMAJ's directors operate companies which had been registered for some time.
Any which way you want to spin that, the directors are responsible and aware of their obligations.
MMAJ's Position
Only in their filed defence did MMAJ reveal their process and essentially answer the SAR I sent:
- They admitted scraping the personal data from jobsite.co.uk - although they claim it was for the purpose of "recruitment", not offering live job roles themselves; and despite effectively entering me into a subscription process which I had no say in until some time after the fact
- They claimed I did not avail myself of the unsubscribe link; however they didn't have consent as per PECR in the first place to send the emails with the links in them, nor is it best practise to click links in emails you've received from persons unknown
- They claimed I'm not a genuine job seeker - which was amusing. In fact they claimed I'm a sadistic opportunist. As a contractor of nearly 20 years experience I suppose some would consider me mercenary; I'm quite an aggressive racer when I compete in a kart too, but MMAJ clearly wanted to avoid the actual issues and enter into a mud slinging competition
- They ignored my emailed SARs and NBA for months but replied when the paperwork was served; yet claimed to be essentially pro-active in their response
The entire defence seemed to be based around the total lack of accountability for which a company handling personal data should have. The law apparently doesn't apply to them - they're special.
B2C-style recruiters are the more typical business models, but the most concerning development of late is B2B recruiters. They're outsourced agency staff who may not even work inside the EU (therefore breaking the stringent data protection laws of the EU and UK). Agencies out source their searches to other agencies, who presumably take a small percentage for candidates that eventually get a contract or role.
Corporate Entities
From the companies related to the two directors of MMAJ, Irfan Lohiya and Tahir Islam, seem to exchange recommendations for each other and share infrastructure. Not unusual and a good cost mitigation option.
Tahir's LinkedIn profile lists him as a case handler for Lloyds Bank, although he may just be a silent / investment partner. All correspondence relating to the litigation was signed by Irfan who seems thick with links to recruitment - working for agencies as per his LinkedIn profile whilst running his own. Nothing really wrong with that though.
Astoria Green Executive Search, Jobm8 (not jobg8.com),Total Jobs, Green Recruitment Solutions, Top Resourcing, Proficient Outsourcing Ltd and MMAJ are the companies one or both directors own / operate - only Jobm8 and MMAJ are nominally shared.
That's a lot of very small companies - question marks for me arise relating to; if MMAJ has my data, who else does? With idiots like MMAJ you shouldn't rule anything out.
Summary
In the end I had an issue with the postal deliveries, meaning I missed a lot of paperwork relating to the case. I couldn't therefore press the claim home and the last I'd heard MMAJ refused to engage in mediation pre-trial. It's a shame because I'd created a retrospective data consent agreement and wanted to see it enforced at district level. Of course, there's no guarantee but I could easily disprove each statement of the defence - some of which by using their own evidence.
The amount of time you have to spend on these things is immense - unless you're a lawyer being paid to write and argue the case there's virtually no financial benefit to it. What I do for a living is investigate (in other fields) - and that's where the commonality is for me, and that the regulator is often swamped with other cases from local government.
But also because there are so few - if any - people actually raising awareness of the growing problem in data protection.
It took direct legal action to force MMAJ just to answer my SAR, and even then it was without any acceptance that they'd actually broken the law. If someone hold their hands up and says, "Ok - yeah. We were wrong - really sorry and it won't happen again" it's generally a reasonable situation which needs no further prodding.
In May 2018 the British equivalent of GDPR comes into force so the additional weighting in favour of explicit / DS enacted consent; the types of activity MMAJ admitted to (or were observed enacting in cases where they denied it) would net them massive fines and potentially criminal convictions. Had I engaged ICO over the matter they could have invoked their powers within the law to review criminal prosecution against MMAJ (if they'd had the time amongst their already mountainous case loads).
I've worked with a lot of recruiters over the last 20 years and there are some real diamonds out there. Recalling past conversations with recruiters I've known for years as well as new firms who made a silly mistake with their data handling - all it takes is a five minute phone call to resolve. However there's also some real used car salesmen holding the reputation of the industry back.
There's so many of them though.
