Has your timesheet platform changed without warning? Your personal data could be at risk
Nick Woodward, CEO ETZ Group: If data is transferred without proper authorisation or security, you could face risks from identify fraud and access by third parties.
By Nick Woodward, CEO ETZ Group
If you’re a contractor or freelancer, you may have logged into your timesheet or invoicing portal to find something’s changed: a new logo, a different layout, or a request to re-register your account.
But did your recruitment agency or umbrella company tell you that your personal data — your name, address, bank details, NI number, invoices, and payment history — was moved to another system?
If not, your information may have been transferred without your knowledge or consent, potentially breaching the UK GDPR, Data Protection Act 2018, and even criminal law.
What happens behind the scenes
Every agency or umbrella business that collects your data acts as a data controller.
The timesheet or payroll platform they use — ETZ, Bullhorn, Mercury, and others — is the data processor.
When controllers switch platforms, copies of your records are exported and uploaded elsewhere.
Many fail to tell you — the data subject — that this has happened.
Your agency’s legal obligations to you
Under Articles 13 and 14 UK GDPR, you have the right to be informed:
- Who processes your data
- Where it’s stored
- Why and how it’s used
- When an agency changes suppliers, it must:
- Notify you of the new processor
- Update its privacy policy and contracts
- Ensure transfers are secure and lawful
- Prove your data wasn’t accessed or altered unlawfully
They can’t simply move your data and hope you won’t notice.
Why it matters
Timesheet systems hold highly sensitive information.
If data is transferred without proper authorisation or security, you could face:
- Identity theft or fraud
- Unauthorised access by third parties
- Loss of payment records
- Misuse of personal data
Under s. 170 Data Protection Act 2018 and s. 1 Computer Misuse Act 1990, it’s even a criminal offence to obtain or disclose personal data without authorisation.
Recruiters must be transparent about the use and transfer of contractor data— contractors must hold them to it
Recruiters often say system changes are “just IT upgrades.”
But every exported record is still your personal data.
Your recruiter must ensure the transfer:
- Follows a documented Data Processing Agreement
- Is auditable and secure
- Is clearly explained to you
If they fail, they — not the platform — are legally liable.
Have you been moved without notice?
If your timesheet or invoicing system has changed and you weren’t told, ask:
- Why was the platform changed?
- Who now stores and processes my data?
- Was the transfer reviewed by a Data Protection Officer?
- Where is my data hosted — UK or overseas?
- Has it been shared with third parties?
If answers aren’t clear, raise a Subject Access Request or contact the ICO.
Why transparency matters
Recruitment tech is evolving fast.
AI-matching, automated payroll, and global contractor systems mean data is constantly moving.
Transparency isn’t optional; it’s the foundation of trust.
Too often, agencies treat a platform migration as an IT project, not a legal one.
Controllers forget that every exported record is personal data — not just a file transfer. Transparency, written authorisation, and full auditability aren’t optional; they’re the foundation of trust in recruitment tech.
–Ana Brooks, Co-Director of ETZ Group
Editor’s Note: About ETZ’s Compliance Framework
ETZ operates a GDPR-aligned processing model with ISO 27001-influenced controls, including:
- Documented controller instructions for all exports and migrations
- Role-based access and anomaly detection on data downloads
- Encrypted transfers and tamper-evident audit logs
- Rapid incident reporting and controller notifications under Articles 33–34
These safeguards protect contractor data and ensure transparency when agencies change systems.
🗣️ Join the discussion
Have you had your timesheet or invoicing platform changed without warning?
Were you told how your personal data was transferred?
Share your experience with Freelance Informer — in the comments or anonymously if you prefer — at editor@buzzvestor.com.
Your story could help shine a light on data transparency in the recruitment industry and push agencies to raise their standards.
