Recruitment and modern data protection

GDPR and discrimination

In this HR article, we provide some guidance to help make recruitment practices safer and to improve legal compliance.

Questions around how employment law affects recruitment and selection, are common.  There are a few key areas to be mindful of.  The main ones are contract law, employment law, data protection and discrimination. The latter two have a greater impact on the recruitment process itself, and these will be the focus of this HR Hot Topic.

Legislation relating to discrimination, or rather equality, should inform all safe recruitment practices. The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018), both put a fresh angle on data protection law and require tighter controls on things relating to recruitment, such as the need for secure processes, privacy notices and more.

Recruitment and modern data protection

Organisations must ensure that the entire process of recruiting a candidate, from end to end, is compliant with the GDPR and DPA 2018. This begins from the point at which personal data belonging to a candidate is collected, through to how this is removed from your business entirely.

The basics of the GDPR requires organisations to:

• Ensure they have a legal basis (one of the six statutory reasons) to be processing data in the first place.
• Ensure that the data is processed in compliance with the six principles.
• Ensure their internal processes are private by design and by default.

There are of course many other obligations to be adhered to. The most applicable to an employer in the context of recruitment are:

• The requirement to provide privacy information
• The requirement to keep records of processing activities

Common areas that crop up in recruitment, which are particularly impacted by modern data laws, include:

• References
• Health and criminal records
• Equal opportunities monitoring

Each of the key areas highlighted are discussed below.

Legal bases

There are six potential lawful bases (consent, contractual requirement, legal obligation, vital interests, public interest and legitimate interest). Employers must know in advance which one of these they are relying upon in order to obtain and use personal data during a recruitment process.

Most employers will rely upon ‘legitimate interest’.

This is the most generic of the six legal bases. As it is generic, the specific interest must be known too. In this case, it is most likely to be ‘A legitimate interest to fill a genuine vacancy which exists in the business.’

Warning: Avoid ‘consent’. Where it may be possible to rely on consent at the recruitment stage, we would advise against doing so. Consent is not what it used to be. Carefully worded information must be provided to each individual and specific measures must be in place to operate consent properly (such as the capability to remove and destroy all traces of personal data promptly, should an individual withdraw their consent). Furthermore, once employed, consent may not be relied upon at all, due to the imbalance of power between employer and employee. This means that once you appoint a candidate, you may not rely on consent anyway.

Principles

A recruitment process must be reviewed and adapted where necessary, to ensure that the six principles of the GDPR are met.

• The principles of the GDPR all seek to achieve one thing, accountability. They can be summarised as follows:
• Lawfulness, fairness and transparency – in relation to the data subject
• Purpose limitation – personal data is collected for a specified, explicit and legitimate reason
• Data minimisation – only personal data which is necessary and relevant to the purpose is collected
• Accuracy – every reasonable step should be taken to ensure that this data is kept up to date (with regards to the purpose)
• Storage limitation – personal data must only be kept in a form which identifies an individual for as long as is necessary to achieve the purpose
• Security (integrity and confidentiality) – appropriate (and state of the art) measures must be implemented to ensure personal data is kept safely and is not compromised

Example

To meet the first principle, an organisation must be satisfied that they know what their legal basis is and that they have complied generally with the law. Consider contacting the Information Commissioner’s Office (ICO) on their free helpline, for reassurance on whether your process and measures are likely to be lawful.

Consideration must also be given as to whether the use of the personal data collected would be thought of as ‘fair’ by the everyday person, and whether the processing and use of the data is transparent to the candidates. The latter is most likely to be achieved through a privacy notice.

Further Guidance

For further guidance on minimising risk and ensuring safer recruitment login to our HR Knowledge Base or contact us to find out about signing up to this must have go-to resource that’s used by thousands of business managers and HR professionals across the UK.