The data protection code: what it means for online recruitment

Following
publication of the Information Commission’s Code of Practice on Data Protection
and Employment, Joan Pettingill, solicitor in employment law with Nelson &
Co solicitors in Leeds, outlines eight key points to help you stay on the right
side of the law.

Recruiters –
whether in house or third party – have traditionally had a free hand with the
information they could gather and retain about prospective employees.  Candidates might be invited to submit hand-written
letters of application for analysis, complete multiple choice or other
psychometric tests which reveal facets of their personality (of which they or
their friends may not even be aware), or to divulge details about their health,
salary or criminal records.

At interview,
candidates could be asked to perform technical and intellectual tasks in front
of a group while watching the interviewer take notes about them. They might
then be asked to have a medical examination and provide samples for medical
analysis and at the end of the process, the interviewer may know more about the
candidate than they know about themselves.

However, the
rights of employers, or third party recruiters, to gather and store information
about candidates changed when the Data Protection Act 1998 came fully into
force on 23 October 2001.

The first of
four Codes of Practice to be published by the Information Commissioner’s
Office, on recruitment and selection, has been criticised as being unclear, in
that is difficult to distinguish between the statutory requirements of the Data
Protection Act and the best practice advice given in the code by the
Information Commissioner.

However, there
are eight keys to data protection, which, if used in the spirit of the act,
will help recruiters sidestep the wrath of the Information Commissioner.

Data shall…

1.         be processed fairly

2.         be obtained and processed for limited purposes

3.         be adequate, relevant and not excessive for the purpose for
which it is collected

4.         be accurate and if necessary kept up to date

5.         not be kept for longer than necessary

6.         only be processed in accordance with the rights of the
person to whom it relates

7.         be kept securely

8.         not be transferred to a country or territory outside the EU
economic area unless the new location ensures an adequate level of protection
for that data and the rights of those people to whom the data relates

Transferring
Data

The eighth key to data
protection has particular relevance to recruitment on the web.

Internet access
is growing rapidly and data can be transferred around the globe within seconds,
and recruiters can gather data remotely with the use of a web spider (a
software program that can be used by internet search engines to visit every
text-rich website gathering and cataloguing relevant information).

In the recent
past, it was difficult to regulate the transfer of information on the web, but
new technologies mean that enforcing the eight key requirements of the Data
Protection Act is possible and practical.

In particular,
recruiters need to know what candidate data is passing into and out of their
site and they need to monitor this, as when the Information Commissioner looks
at whether the operation of websites, spiders and servers is lawful, the type
of data being transferred and the laws in force in the country to which it is
transferred will be examined.

Correct
procedures

A recruiter’s website is
like an advertising billboard, which is open to scrutiny by the commissioner.
Consent must be obtained from a candidate before personal data can be processed
at all and, ideally, before a candidate gives their personal data to recruiters
via a website they should be clearly informed about the processes to which that
data will be subjected or at least requested to give their consent.  Recruiters should check that the only
processes to which the candidate information is subject relates either to an
existing contract between the candidate and the recruiter or is processed with
a view to the candidate entering into a contract with the recruiter.

The absence of
a data protection or other privacy policy from a recruiter’s website does not
automatically mean that a recruiter is flouting data protection laws. However,
having a data protection or other plain English privacy statement is good
practice and makes good business sense for recruiters as it will give potential
candidates confidence in the site and will preserve the recruiter’s integrity.

The Data
Protection Act gives candidates rights, including a right of access to any
personal data a recruiter may hold in a relevant filing system, and this kind
of online document is a good way of obtaining the candidate’s consent to the
various processes to which their data will be subject.

Controlling web
applications

Recruiters will already have
thought carefully about the kind of information that they request from
candidates. The key for recruiters is to check that on-line application forms
only ask for information that is really necessary for the recruitment process.
For instance, in some European countries candidates are not asked about their
hobbies as this information is arguably not relevant to the recruitment
process.  There has been particular
criticism of ‘free fields’ on websites in which candidates can type any data
they like. Recruiters who ask specific questions on their websites or only ask
for limited information are less likely to be fall foul of the third key to
data protection (that information be adequate, relevant and not excessive for
the purpose for which it is collected) and thereby incur the wrath of the
Information Commission.

Candidates may
claim that they have suffered damage, economic loss and distress if a recruiter
passes inaccurate information to a third party.

To comply with
the fourth key (be accurate and if necessary kept up to date), recruiters
should check that data submitted by a candidate is accurate before passing it
on (with the candidate’s consent) to a third party.

Most recruiters
will do this any way as they obviously do not wish to provide incorrect
information about candidates to their clients.

However,
recruiters who use a web spider to obtain candidate profile data without
checking that is accurate will not only fall foul of legislation but may be doing
both the candidate and themselves a disservice and miss out on the right
candidate.

Web-based tests

What do recruiters need to
take into account when considering carrying out aptitude or psychometric tests
on the web?

There is no specific
guidance in the Act itself, so recruiters should consider the keys to getting
data protection right.

It is unlikely
that analysis carried out by unqualified persons is likely to be regarded as
fair processing of personal data. Similarly, if the analysis or testing is not
highly relevant to the recruitment process, it is hard to see how it could be
regarded as fair.

If such tests
are to be carried out then the best way of ensuing that the Act is complied
with would be for the candidate to give their informed consent prior to the
testing process taking place.

Sensitive data

It is also useful to be
aware of the difference between personal data and sensitive personal data,
where the latter refers to details such as someone’s racial origin, political
opinions or physical/mental health; if they’re in a trade union; or whether
they have committed or allegedly committed a criminal offence.  If sensitive personal data is to be
processed explicit consent is required.

Deleting old
data

The destruction of data
involves more than simply pressing the delete button on a computer. Even when
the delete button has been pressed a file remains in a recycle bin or in a file
for deleted items until it is deleted again. Even then, data may remain on the
computer’s hard drive and if the computer is sold or thrown away, the recruiter
needs to protect its own integrity as well as the integrity of the data.*

Candidates who
have provided personal data about themselves are unlikely to thank recruiters
if those details are retrieved and published or processed by a third party
without their consent. In the context of data protection legislation,
protection of data means more than simply saving candidate details on a back-up
disk.

Summary

The Information Commission
is there to protect the individual and to curb the unscrupulous use of personal
information. But by sticking to the key points listed above, employers and
recruiters should be able to avoid a visit from the modern-day Thought Police.

* Consult an IT
specialist for details of how to ensure data that is ‘deleted’ actually no
longer exists.

Comments are closed.