back to article Dough! Jobs microsite for UK's data watchdog set hundreds of cookies without visitors' consent

A strong grasp of data privacy is key for anyone wanting a job at the UK's Information Commissioner's Office (ICO), according to the blurb on its microsite. Just one catch: the site itself enables hundreds of cookies – seemingly without consent. The gaffe was first spotted by a Reg reader who told us he'd never seen so much …

  1. Doctor Syntax Silver badge

    "We expect to deploy a new solution in the coming weeks which will address your concerns"

    Translation: GDPR took us so completely by surprise that it's taken us a good 18 months to react to it.

    1. Anonymous Coward
      Anonymous Coward

      Wrong, I think its more along the lines of -- thanks for pointing out that this forgotten site, that we update regularly, was out of compliance with the regulations that the site, itself, displayed.

    2. big_D Silver badge

      Sounds like the IT bods from ICANN have found a new position...

    3. Anonymous Coward
      Anonymous Coward


      By "solution", I assume they mean some wanky so-called "consent" form, that probably actually won't work "properly" unless you permit third-party scripts and cookies (and which will still phone home to all of those third party sites: all that these lousy forms do, if they work at all, is tell the third-party spyware sites to "disregard" the information that they harvest about your id; I am sure that they are still collecting the information, regardless (I very much doubt that the tracking companies will actually have amended their back-end systems to not collect the data for that particular id as the tracking script gets called, as that would involve actual significant work on their part - far easier for them just to add an "ignore_me" field to their database instead?)).

      That's not the solution. The solution is not to have any third-party spyware on the site in the first place.

      It's a job application site: applicants will be submitting their CV or similar information, which contains a lot of personal data, much of which is also fairly confidential.

      We know that sites such as Facebook start to analyse what you type, actually as you type: how can we possibly trust that any of the adware/spyware scripts running on the job application site are not only merely tracking your presence at a particular URI, but are also doing exactly the same thing ("to improve the relevancy of your advertising experience")? (It really would not surprise me if it turned out that Google Analytics scripts, and similar, also tap keyboard input in this way, too: has anyone ever audited those scripts to check what they really do?)

      The only organisation who should know the details of what job applicants are uploading or typing into the website should be the ICO. It's bad enough that they are using a sleazy "recruitment agency" (is there actually any other sort?) to process applications.

  2. JimmyPage Silver badge

    Recruitment agency turns out to be clueless.

    Why is this even news ?

    Is El Reg going to start stories on the sun setting later today ? And rising tomorrow ?

    1. Captain Scarlet

      Re: Recruitment agency turns out to be clueless.

      Well because the ICO of all people obviously havent checked their suppliers and this micro site is obviously linked from the ICO site.

      1. Anonymous Coward
        Anonymous Coward

        Re: ICO of all people obviously havent checked their suppliers

        Given their overall effectiveness is worse than a chocolate fireguard, I wasn't at all surprised either.

        The day someone whose data has been spaffed gets a penny recompense, is the day I'll take the ICO as seriously as they fail to take themselves.

        In the meantime, we all know that "data security" is a joke for the UK. Much like the Swiss navy.

    2. Blockchain commentard

      Re: Recruitment agency turns out to be clueless.

      WTF? The sun's setting tonight? I've got stuff planned. Dammit.

  3. steviebuk Silver badge

    Given up with the ICO

    Unless it's a big player and gets in the news they don't want to know. Instead, when you report companies they point you in the direction of the company you're reporting on, telling you to speak to them first.

    But they are fucking ignoring reports hence going to the fucking ICO. After a few reports like that, I gave up reporting.

    1. Alan Brown Silver badge

      Re: Given up with the ICO

      The "Japanese solution" then.

      Meaning that back in the 1990s, we found the only way to get Japanese companies to secure their networks was to hand the details to Japanese media, who would happily mug the high ranking directors on national TV.

      Contacting regulators or the admins would result in utter silence, or being blocked entirely.

      There's enough media interest in GDPR breaching that ongoing public naming/shaming wouldn't go amiss - and the repeated opportunities for the ICO to avoid being interviewed would be telling all by itself.

  4. katrinab Silver badge

    Reduction in advertising cookies?

    Why do they need any advertising cookies?

    Cookies that tell the site that I was the person who completed the previous page of the application form, I have no problems with that, and neither does the GDPR.

    Cookies that let advertisers send ads along the lines of "I see you are looking for a job. Would you like to apply for a job as a money transfer agent laundering money for a phishing gang?" They can go in the hazardous waste bin.

    1. Anonymous Coward Silver badge

      Re: Reduction in advertising cookies?

      Adverts on the job-finding site already know that piece of information and don't need cookies for it.

      Adverts that those same advertisers plaster* over OTHER sites saying "I see you recently looked for a job, perhaps this pyramid scheme would interest you" can bugger off.

      *with the consent of the site-owner.

  5. Luke Worm

    It's not _that_ bad, according to this test

  6. IT Hack


    Really? Who the fuck uses Hays for a tech project?

  7. Korev Silver badge


    Isn't it D'oh! - unless Homer has started baking his own bread...

  8. SVV

    Dumb, dumb, dumb

    When I use recruitment agencies, I expect my information to be handled with the utmost respect for confidentiality and privacy (don't laugh, I need to say this to develop my argument - and there are a few good recruiters). If that's done then the company can potentially get a decent commisson as a reward for a professional job. What in the name of all that's clueless were they thinking, deciding to use 100s of privacy busting tracking cookies to rake in a few extra quid on the back of web traffic? Hays do a lot of IT recruitment, and IT people are wise to why this sort of shit is bad, and I don't think that the few extra quid is going to compensate for the potential loss of custom from IT clients who might decide to give them a miss after reading about this story.

    1. Doctor Syntax Silver badge

      Re: Dumb, dumb, dumb

      " What in the name of all that's clueless were they thinking"

      It's Hays. That probably negates your question.

  9. ashdav
    Big Brother

    Thinking laterally

    As this is a recruitment portal perhaps it was designed as a filter to sort the wheat from the chaf?

    Just saying.

  10. Anonymous Coward
    Anonymous Coward

    That is something the ICO is well aware of

    shame the coders aren't, eh? More likely, they're "only following the orders". So, the question is, who among their paymasters knowingly ignores the law? Or is it just I(n)COmpetent turtles all the way down?

    1. TwistedPsycho

      Re: That is something the ICO is well aware of

      Certainly from where I sit in a completely different industry; it appears that many corners of the bigger players work to an ethic of promoting people to the Peter Principle and then promote them one more time for luck.

      The problem is that with so many promotions, it is inevitable that there are also department moves, so a Head of Department has never done the job of either their management team or indeed of the rank and file troops.

      So it does not take long for their young Graduate who (albeit not all grads can be tarred with the same magnum of Champagne) to be edicting absolute crap in the name of "I run the department."

      Source: recently left one such department.

      1. AK565

        Re: That is something the ICO is well aware of

        This matches my experience. It often shows up in subtle ways. IMO, countless man-hours are lost by such things as having to explain to higher-ups that the weekly report can't be printed in color on the department's B&W printer.... And having to explain this to the same higher-ups every week.

        1. Alan Brown Silver badge

          Re: That is something the ICO is well aware of

          Just tell them you can fix it for six figures

  11. waldo kitty
    Black Helicopters

    What if...

    what if each and every cookie a site wanted to set required individual approving? users would soon stop using those sites and guess what? the site would suffer and soon realize their mistake... or would they?

  12. Mike 137 Silver badge

    This is called "negligence"

    Sorry to use technical terms, but this is generally called "negligence". Under the GDPR (and lots of other legislation) outsourcing does not absolve from compliance with the law. If your outsource provides you with an unlawful service or product and you accept and deploy it, you're liable just as much as if you'd created it yourself. However in my professional experience most businesses (and here even a regulator) seem to believe they don't have to verify the legality of the services they subcontract.

  13. gnarlymarley

    why do folks have their browser configured wrong???

    "I have just discovered that the Information Commissioner's Office jobs microsite, which talks about the importance of GDPR and Data Privacy, and which is currently advertising the new Director of Regulatory Strategy role, sets approximately 204 advertising and tracking cookies, all without consent.

    Does GDPR require people to set their browsers to "ask to accept a cookie"? Why do people insist that they have their browser "automatically accept cookies" when they are trying to force sites to ask? Clearly, sites are not always able to "ask for consent", so why are the browsers set to automatically accept? I have been seeing this setting in all my browsers for over two decades, so people saying they don't know about it is hogwash.

  14. W.S.Gosset Silver badge

    2 cookies? rather than 204?

    Ghostery reports 0 trackers, and Firefox reports only 2 cookies set by Hays.


    1/ Javascript is switched off (my default, via add-on "JavaScript Toggle On and Off")

    2/ I did not do a Before&After count of Total # of Cookies, so it may have set 3rdparty cookies

  15. Anonymous Coward
    Anonymous Coward

    ICO and Cookies

    Some time ago, the ICO website also had problems.

    But now they are not:

    They try to comply )

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like