Recommendations sent to Department for Business, Energy and Industrial Strategy (BEIS), Recruitment & Employment Confederation and APSCo for protection of contractors.
As each of your organisations have a mandate to protect the interests of contractors in the UK, I urge
you either collectively or individually to take immediate action that will reduce the number of
contractors employed by FCSA umbrellas to mitigate against the undeniable heightened risks of:
• Their personal data being stolen and abused by cyber criminals.
• Not being paid properly or at all.
My genuine sympathy goes out to the FCSA businesses that have been hacked and I do fully
understand that any business can fall victim to a successful attack, but the best interests of hundreds
of thousands of contractors must be the priority for all of you. I doubt that any of you would risk your
personal data being held by an FCSA umbrella, so why should any contractor have to?
There can be no doubt that, for reasons as yet unknown, cyber criminals are intentionally targeting
FCSA umbrellas. When factoring in that it is FCSA umbrellas that are also falling victim to cloning
attacks, you must assume at this stage that successful attacks will continue.
As your organisations do have the ability to control and influence how employment businesses
operate or face your sanctions, my recommendations are that each of you immediately instruct that:
• Subject to standard due diligence, contractors have complete freedom of choice in deciding
which umbrella employs them (including an FCSA one if they independently choose it).
• FCSA umbrellas are removed from all PSLs.
• FCSA umbrellas can no longer be mandated.
• FCSA umbrellas, included those that choose to leave the FCSA, cannot be promoted or
recommended in any way to circumvent the above.
• As the FCSA Code of Conduct does not include any requirements to protect against
cybercrime despite the successful attack on Giant last year, an FCSA award cannot be used
to demonstrate that an award holding umbrella is compliant.
• To resume any business relationship, FCSA umbrellas, included those that choose to leave
the FCSA, must achieve ISO 127001 as evidence that they have cyber and data security
protections in place.
I appreciate that on first reading my above suggestions might appear harsh, but:
• The only way to stop more contractors being exposed to the above risks is to reduce the
number employed by FCSA umbrellas.
• Save for those agencies receiving kick-backs from FCSA umbrellas, no employment business
that is genuinely committed to only acting in the best interests of their candidates will object.
• Now clearly fixed with the knowledge of more recent events, no employment business will
want to be exposed to the consequences of an ICO investigation for recklessly introducing
candidates to an FCSA umbrella if data is stolen
• Whilst seemingly extreme, agency must remain mindful of their GDPR responsibilities.
• Contractors that are currently employed by FCSA umbrellas can remain in that employment if
that is their personal independent choice
• FCSA umbrellas will have a clear route to re-enter the market once ISO 27001 has been
As will all contractors that are at risk, I await your urgent public confirmation that you will be
immediately acting upon the recommendations.