Confused about GDPR? You aren't alone. With the technological revolution, the law has finally caught up in protecting people's personal data. This can cause headaches, especially in a job application scenario. Here I talk you through what Data Protection practically means for you when advertising a job.
GDPR has become a source of headache for businesses in recent years. Primarily – not falling foul of GDPR. To say the consequences can be severe would be an understatement. The Information Commissioner’s Office (ICO) has fined BA in excess of £20 million for data breaches of over 400,000 customers.
Data Protection has a wide scope of protection and encompasses a number of different issues. GDPR is vast and the “explanatory” notes on the ICO website are detailed but complex. One cannot possibly hope to cover them all in a single entry. The purpose of this article is to give general guidance on how not to fall foul of GDPR legislation in a job-application scenario. Specifically, four main issues will be covered:
The law requires you to have a privacy notice on the website that is clearly accessible and viewable at any time.
Does GDPR Apply to me?
More than likely if you are reading this article, yes. “Data Controllers” owe such obligations to “Data subjects”. A controller is defined as someone who requests access to an individual’s (or subject’s) personal data. If you are a business operating within the UK or the EU, you are bound by the legislation.
The scope of the legislation is broad. The obligations are still owed if you contract the processing of personal data out to a third party (a data “processor”). Furthermore, Brexit should not impact the legislation. There is a commitment to the principle of equivalence within the Political Declaration for data rights. Regardless of that, the European Legislation adopting GDPR specifies it applies to anyone “offering of goods or services… in the Union” or where the data collected is about EU citizens.
To put it briefly, the following obligations must be complied to the vast majority of the time. Even on a rare occasion where you might have an exception, it is good practice to follow data protection rights regardless.
What is Personal Data?
Personal data as defined in the legislation has two main categories. “Personal” and “Special” data. The legal implications of processing each type of data will be examined below.
Put simply, personal data is anything that “relates to” an “identified or identifiable individual” in the context that it is presented. Now, this definition is inherently vague and what “personal data” is in one context, might not necessarily be in another. One can be “identified” if purely on the information in front of you, the individual could be identified. For example, a CV containing a name, address, email address and employment history. This is clearly information which identifies an individual. E.g. Joe Bloggs, 25 Market Street, XX1 00N, jbloggs@fake.com, currently a bus driver.
An “identifiable” individual has been defined by the Information Commissioners Office as when an interested and sufficiently determined person could find additional information to identify the individual. What if, for example, as part of the job application process, you ask applicants to send in “blind” CVs and you replace the names with an anonymous data code kept only by one manager? At that point, a determined individual, if he had access to the email address, home address and employment history could indirectly identify the CV subject as Joe Bloggs.
The significance is more than academic. Under the new GDPR, any subject has the right to request a Data Subject Access Request (DSAR). In that, you must reveal all the information the subject has requested within one month. But what do you have to reveal? In Daniel Barnett’s rather excellent podcast on employment law, Emma Erskine-Fox stated she believed that for something to be “related” to an identified or identifiable individual, the data in question must be of biographical significance or an opinion of the individual. For example, your detailed notes on the candidate would constitute personal data to be released; however, the office sign-in form where the subject had merely written her initials would not be.
Below is a list of what might be considered personal data in a job application process but do not treat these as a panacea.
My best advice would be that if you are taking information from the applicant, or are noting information about the applicant, it is best to treat it all as “personal information”. If a DSAR is made then you will need to be able to present information to the data subject relatively quickly, so it is worth treating all the information with respect. Furthermore, the ICO is unlikely to buy the excuse “we did not realise this was personal data”.
Am I allowed to handle the data?
To handle “normal” personal data you need a lawful basis. This lawful basis must be put clearly in your data privacy policy. The lawful bases provided for in GDPR are:
You are only allowed to rely on one lawful basis. ICO and tribunals do not look favourably on switching the lawful basis for handling data. The reason should be stated clearly in the data privacy notice given to the applicant.
But which lawful basis applies in a job application situation? It cannot be (4) as it is not in someone’s “vital interest” to protect their life or property to process data. Nor is it (5) as data collection is not in public interest. While it might be (3), to fulfil legal obligations only minimal data would need to be taken. Furthermore, as you do not yet have a contract with the subject, it cannot possibly be (2).
You might be tempted to rely on (1) – Consent. After all, the data subject has handed her CV, telephone number etc, over to you of her own accord, therefore she must have “consented” to the processing of her data.
While this is true in the English sense of consent, it does not match the legal test for consent under Data Protection legislation. Consent in this case must be absolutely freely given: the legislation puts this in no subtle terms. The ICO notes that if giving over of personal data is a precondition to contract, it is unlikely to constitute valid consent. You must be able to offer the subject real choice. This is not so in a job scenario situation: the applicant must agree or be denied the opportunity. This is not a real choice and therefore consent would be invalid.
Even if you could rely on consent, I would advise against it. Article 7(3) GDPR gives data subjects the right to withdraw consent “at any time” without question. This could cause a number of issues. If you did end up hiring the employee, then she would have the ability to withdraw your access to her personal data. This may cause issues when it comes to PAYE for example.
The better view is to rely on (6) Legitimate Interest of the data controller. The ICO recommends a three-stage test to assess the lawfulness of the purpose:
(1)Purpose Test: have I got a legitimate interest?
In most job application scenarios this will be the case. The controller (you) are processing the data for the purposes of deciding whether to employ an individual. Both of you will benefit from this. The applicant may gain work and the employer will gain the best possible person for the job. If you could not go ahead with processing the data then you would be unable to decide effectively whether to contract with the individual.
This reasoning would apply to most data collected in the ordinary scope of an employment application, ranging from CVs, contact information and candidate notes, on the grounds it was actually used for those purposes.
(2) Necessity Test
Is what you are doing a targeted, reasonable and proportionate way of getting this job done? For example, you will need to contact the applicant about the outcome of the process. For this, you might collect a few different ways to contact him: mobile, email address and postal address for example. It would not be “necessary” for you to ask the candidate for his exact location at every point of every working day to ensure that he received the message. Nor would it be necessary to collect every member of his family’s and friends’ contact details “just in case”.
In a more serious example, in trying to recall how candidates performed and identify one from the other, you will need to take a note of their full name. However, it will probably not be necessary to process a photograph of the candidate as well, unless appearance goes to the core of the nature of the work e.g. modelling.
In short: make sure you are collecting as little data as possible. Before asking a candidate for data, think why this would come in useful. If it is unlikely to, do not collect it.
(3) Balancing the right of the individual v the interests of the employer
Would the individual’s interest in not having his data processed override the employer’s interest in processing the data? This is not a question of harm to the individual v right of the employer to know. That is one of many factors. The question must be whether the data that is collected is one the applicant would expect to be collected; could this data collection cause them harm?
Let me explain by analogy. A company recruiting a new truck driver would want to process information regarding the applicant’s driving history. This could have severe consequences for the applicant; if he disclosed multiple claims against him, it is unlikely an employer would give him the job. This a great harm done to the subject. However, this does not mean the employer’s interest is overruled. Here, the interest is greater. The employer is legitimate in ensuring the quality of the members of staff he recruits. In other words, there is a clear justification for the employer’s action, despite the harm to the employee.
A full(er) list of considerations an employer should ask herself before requiring information can be found on the Information Commissioner's Office website.
“Special Categories of Data”
Remember these? For a reminder this is any information related to
With regards to i-iv, if you are planning on collecting this information, here is some advice: don’t. Collecting information and using is as the basis of your decision whether or not to hire someone might form the basis of a discrimination claim. Deciding whether or not to hire someone based on their race, ethnicity, religion or philosophy is explicitly protected under the Equality Act. Furthermore, employers are not entitled to prescribe a trade union membership, or not, before employment. Collecting this data, either as notes in interview or directly asking the client for them, should be avoided unless specific exemptions apply.
You might want to collect an Equal Opportunities questionnaire for your own information. In order to ensure collecting this data is not in breach of GDPR, you should do the following.
Criminal data and genetic data are different. There might be some legitimate scope in processing data. As these are “sensitive” data issues you need an additional lawful basis for processing data. The situations are limited but will consist of three issues:
What do I have to do in Handling the Personal Data?
In Handling Data, you must conform to the 7 principles of GDPR
1) Data should be processed lawfully, fairly and in a transparent manner. The subject should be aware why data is being collected? Who is it being shown to? Have you explained the rights of the data subject to them? This should be communicated in your privacy policy on your website.
2) Data should be collected for specified, explicit and legitimate purposes as explained above, but it should only be used for those specified purposes. For example, the Ministry of Defence ran an army recruitment campaign. They used photographs of genuine members of the armed forces. Guardsman Stephen McWhirter’s image was used on a photo with the term “Snowflakes” in bright red letters above it. He contends that he was not informed of how his photograph would be used.
Now I am giving no opinion on the situation. The Ministry of Defence contend that all volunteers were aware of how their photograph would be used. However, this kind of situation would be best avoided. Collecting contact information as part of the recruitment application and then contacting the applicant via text message asking them to go for a drink would be another example. The data controller would have broken the legitimate purpose for why they were using the subject’s data.
3) Data minimisation: do not go beyond what is relevant or necessary for that particular purpose. You should perform a data Protection Impact Assessment – go through what information you might use and why. Do not collect information “just in case”.
4) The data must be accurate for the purpose possessed: you must ensure your records are up to date. Decisions taken on incorrect data might give rise to a data protection claim. As such, the data subject has the right to correct any data held by a controller.
The best way to ensure this is to do applications through an online “portal”. That way, it is the responsibility of the data subject to ensure that their information is correct. You must make this clear in your data privacy policy.
5) Only keep data as long as necessary. Just because some data might not be needed in the future, does not mean all of it is irrelevant. For example, if an employee leaves an organisation their payment details will need to be retained for tax purposes, but not necessarily their contact information. All unneeded information should be deleted or anonymised.
What if you have a candidate who, while being excellent, you could not offer a position at the present time? You should obtain clear and explicit consent to retain the data for the purposes of looking for alternative employment, but this would not be justifiable in perpetuity. There must be a limited time period for which this can apply.
6) Information processed to keep security. Or the Security Requirement
The first part of this is Confidentiality. Only those with authorisation should access data. This should be shown in the data privacy policy. You should further limit the people who have access to the data. Who needs access? If this refers to candidate notes, the hiring officer, HR and the manager might need access. The Saturday office intern does not.
This requirement also entails the most well-known GDPR element: security. Data must not be stored in such a way that it will be released to those without authorisation. You must have appropriate protection such that the data does not become compromised. There is no single approach to this; it depends on the costs of implementation, the nature, scope, context and purpose of your processing, the type of data you are holding. This extends to physical data (i.e. in hard copy) and electronic data held electronically. Your protection systems need to be regularly tested. This may require third party expertise.
Stressed? Relax!
Worried about the minefield of legal obligations? Don’t be! At the Legal Stop we offer 5 bespoke Privacy Policies for the price of 1! We will tailor the policy to the needs of your business. Check it out here!
The contents of this article do not constitute legal advice and are provided for general information purposes only.
The Legal Stop provides fixed fee legal services and legal and business document templates for individuals and businesses. Our services include:
We aim to make the law and provision of legal services accessible and transparent to people and businesses alike!
Expertise: Intern
Alex graduated with a BA Laws from Homerton College, Cambridge. He is currently studying for his LLM in Public Law at UCL whilst also interning at The Legal Stop; during his internship Alex will be writing blog posts explaining topical areas of the law, as well as more opinionated pieces on the state of the law. Outside of working hours you can often find Alex in the gym, in the kitchen or reading up on history.