Any UK-based business that receives details from job
applicants online faces a serious challenge: how to comply with the strict laws
governing the use of personal information. Eduardo Ustaran advocates a
practical approach to e-recruitment and its legal management
Businesses are increasingly setting up facilities to receive
applications from would-be employees on-line. According to a recent report, for
example, graduate recruitment over the Internet has doubled in the past year –
two thirds of employers who responded were using the web to find labour market
entrants.
The relevance of data protection rights to this practice
should not be underestimated. As individuals become more aware of their rights
in connection with the processing of personal information, recruiters are
coming under greater pressure to comply with privacy regulations. As a result,
this area of law has gained in importance, and will become crucial for
businesses relying on the electronic collection of data.
Collecting information about individuals, such as CVs and
application forms, is regarded as the processing of personal data under the
Data Protection Act 1998, and is subject to the strict data protection
obligations established by this piece of legislation. The Act applies to the
collection, storage and use of information about individuals in any way, and
therefore affects every single web site that allows interaction with its users.
Scope of application of the law
The legal regime implemented by the Act affects any
organisation that determines the purposes for which, and the manner in which,
personal data is processed, regardless of whether or not that organisation
actually carries out the processing. The Act applies to organisations
established in the UK; and those that use data processing equipment in the UK.
Such equipment must be used for the collection or processing
of data, not just for enabling the transit of data through the UK. In an
attempt to put the minds of many global organisations at rest, the Data
Protection Commissioner has indicated that if an electronic transmission of
personal data is routed through the UK (as may be the case in the context of
the Internet) the transmission will be regarded as mere transit of data. This
seems to suggest that the fact that a web site can be accessed from the UK does
not mean that it will be regarded as equipment for the purposes of the Act,
unless it is hosted on a UK server.
Complying with the law
Complying with data protection law is a complex process
which requires a comprehensive and consistent management approach throughout
the whole organisation. In the context of e-recruitment, the only way to ensure
that this issue is properly dealt with is by addressing it as part of an
internal Data Protection Compliance Programme.
Such a programme typically has two stages:
– Assessing the data collection and processing practices of
the business; and
– Implementing the necessary measures to comply with the
legislation.
Assessment
Assessing the scope of the processing is essential in order
to identify the relevant data protection obligations affecting the use of
electronic recruitment methods and to determine what steps ought to be taken to
meet those obligations. You must consider the following:
– Whether the organisation is registered as a data
controller with the Office of the Data Protection Commissioner and, if so,
whether the register entry refers to the use of the Internet;
– The instances in which personal data is collected by the
user of the data directly from the individuals and those in which it is
received from third parties;
– The purposes for which personal data of prospective
employees is used, and the potential recipients of data collected via the
organisation’s web site;
– Whether there is any kind of data protection statement or
privacy policy already being used to inform prospective employees of the uses
and disclosures made of their personal data;
– Whether the organisation seeks consent from individuals to
use their personal data;
– Whether there are any procedures in place to ensure that
all personal data is accurate and up to date;
– Whether there are any procedures in place to deal with
requests by individuals to be supplied with information about the data held about
them;
– Whether the organisation gives individuals who provide
their details for recruitment the opportunity to opt out of marketing-related
communications;
– What security measures the organisation has in place to
ensure the confidentiality of personal data;
– Whether any third party processes personal data on behalf
of the organisation (this includes the outsourcing of web hosting services);
– Whether the organisation shares personal data with
organisations outside the United Kingdom (this includes the distribution of
information via corporate intranets).
Implementation
Having determined the aspects of the processing which are
relevant from a recruitment perspective, you will be in a position to devise
and implement a plan aimed at achieving compliance with the law. Such a plan
ought to address all relevant obligations imposed by the Act, including:
Notification (formerly registration)
The obligation to register under the previous data
protection regime has been replaced by a procedure, which requires notifying
the Office of the Data Protection Commissioner of the uses, subjects and type
of personal data being processed and of the kind of recipients of such data.
Data controllers who have an existing registration under the 1984 Act will not
be required to notify the Data Protection Commissioner under the new system
until their current registration expires or until 24 October 2001, whichever is
earlier. However, according to the Act, registered data controllers have a duty
to notify the Commissioner if the registration becomes inaccurate or
incomplete.
Fair processing condition
Processing of data may only take place if one of a number of
conditions is met.
Provision of information
All users of personal data must now have a data protection
statement or privacy policy to inform the individuals to whom the data relates
of the purposes for which it is intended to be processed and any other relevant
details (such as potential recipients of the data and whether the individuals
will be contacted for marketing purposes).
Data quality
Personal data must be accurate, up to date and not kept for
longer than is necessary for the purposes for which it was collected.
Individual rights
A number of rights allow individuals to exercise a certain
degree of control over the way their data is used, and therefore the data
controllers must be prepared to honour those rights.
Security
Appropriate technical and organisational measures must be
taken to prevent the unauthorised or unlawful processing or disclosure of data,
and the accidental loss of, destruction of or damage to data. The Act also
requires data controllers to ensure that where a third party processes data on
its behalf there is a written contract between the parties, whereby the
processor agrees to act only on the instructions of the data controller and to
adopt appropriate security measures.
International data transfers
Personal data must not be transferred to countries or
territories outside the EEA that do not provide an adequate level of data
protection. However, this prohibition can be overridden by obtaining
individuals’ consent and adopting the Good Practice Approach recommended by the
Data Protection Commissioner.
Eduardo Ustaran is a solicitor in the computer, media
& IP group at Paisner & Co
Data protection law – a brief history
Data protection law was created in the early 1970s in
response to the increasing use of computers to process information about
individuals. During the 1970s and 1980s a number of countries, mostly in
Europe, passed legislation aimed at controlling the use by government agencies
and large companies of personal data.
In the UK, this legislation was the Data Protection Act
1984. It established a registration system for all users of personal data and
required such users to comply with certain data protection principles. However,
different national approaches across Europe led to fragmented data protection
regimes.
After several years of international negotiations and
compromises, in 1995 the European Union adopted the directive on the protection
of individuals with regard to the processing of personal data and on the free
movement of such data. 24 October 1998 was the deadline established by the
Directive for all 15 Member States to pass legislation bringing into effect the
objectives of the Directive, namely to protect the right to privacy of
individuals and to facilitate the free flow of personal data between Member
States.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
The UK Government decided to implement the Directive by
introducing completely new legislation that would strengthen the data
protection controls existing under the 1984 Act. This decision coincided with
the view of the UK Data Protection Commissioner, and the Act was passed by
Parliament in July 1998. The Act came into force on 1 March 2000, entirely
replacing the 1984 Act.