At the end of August, Hays, the second-largest staffing company in the U.K., accidentally revealed the pay rates of 3,000 contractors working for one of its largest clients, the Royal Bank of Scotland (RBS). The disclosure has had implications beyond the narrow confines of the contingent labor market.
The story is enough to send a cold chill down the spine of anyone who’s hit the ‘send’ button prematurely. The accidental exposure happened when the staffing agency sent an email reminder to its client’s line managers to fill in time sheets so that invoices and payments could be prepared in time considering an upcoming bank holiday. The fact that contractor pay rates were appended to the email was more than just a little unfortunate.
The incident was made far worse given that:
- RBS, one of the banks brought under state ownership during the recent financial crisis, is 84 percent owned by British taxpayers.
- RBS had been shedding thousands of permanent staff in order to cut costs (28,000 jobs lost since the credit crunch).
- The contractors in question were highly specialized professionals earning very high rates (up to £2,000 per day (US$3,180).
- RBS has previously been the subject of criticism for the high wages and bonuses it has paid to its senior employees so pay is a rather sensitive subject.
- The email was sent to 800 of the bank’s permanent employees.
The temporary staff involved were said to work in divisions ranging from human resources to risk management, while the highest-earning contractors had specialist accounting, financial and IT expertise.
RBS commented, "We are extremely disappointed that confidential personnel data has been shared by one of our suppliers. This is unacceptable and we are taking action to address this issue." Not surprisingly, the bank also pointed out that it will review its relationship with Hays. No doubt it will carefully review its terms of business, especially in relation to data protection, confidentiality and financial indemnities.
There may be other repercussions for Hays as well. Until last year, significant breaches of personal data under U.K. law would have resulted in a maximum fine of just £5,000. However, since April 2010, the Information Commissioner's Office (ICO) has the power to impose a penalty of up to £500,000.
In addition to potential financial penalties from the authorities, the contractors whose pay was disclosed may also be checking their temporary contracts and considering their legal options.
It seems just about everyone has a right to be angry about this; the bank, its employees and ex-employees, the unions and politicians, the contractors, the tax-payer and no doubt the senior management at Hays are upset about it as well. In fact, most headlines regarding the incident included the word ‘anger’.
“Many longstanding bank employees will be nonplussed at the large number of consultants at RBS because, while they're expensive on a daily basis, they're (also) clearly substitutes for full-time employees,” said Chris Leslie, Shadow Treasury minister.
Unions also reacted with anger to the high pay rates received by RBS contractors. "It is wholly inappropriate that RBS, backed by taxpayers, appears to be throwing money at thousands of contractors,” said David Fleming, an officer of Unite. “Unite the union has serious concerns about the widespread use of highly paid staff on short-term contracts at a time when RBS continues to cut large numbers of staff."
Meanwhile, James Collings, deputy chair of the Professional Contractors Group, a trade association representing freelance workers, questioned the union’s understanding of the use of contractors. “Unite seems to have taken some of the confidential information from the leaked document and used this to attack both RBS and the UK’s 1.4 million freelance businesses. This attack displays a fundamental lack of understanding of the business relationship between contractors and their clients,” noting that contractors do not receive benefits given to employees.
The embarrassing error has damaged the reputations of both RBS and Hays. It is also a clear warning to anyone who supplies or buys contingent labor how a small human error can have far-reaching implications.
As a precaution, Paul Hanley, director, information protection and security at KPMG says recruitment firms should have controls in place, such as automated confirmation that a sender wishes to send an email or the ability to recall emails once a breach has been noticed. “Moreover,” Hanley says, “recruitment firms need to ensure that they restrict access to information to key people in the business, that people can't copy data on to external hard drive and even consider encrypting more sensitive information.”