This article is in continuation of my ongoing series on the role of HR in GDPR compliance. It explains how HR managers and leaders can process employee personal data while recruiting.
Recruitment is one of the core functions of the human resource department as well as one of the most data dependent functions. This process entails gathering personal information about the prospective candidates, and retaining it after the recruitment process concludes, for two main reasons – as part of the new employee’s profile or as part of the candidate database for future use and reference.
HR’s recruitment and selection function is personal data dependent and as such falls within the purview of personal data processing activities governed by the GDPR. For the human resources department to develop comprehensive recruitment policies in compliance with the GDPR’s requirements, it has to consider which staff members fall within the ambit of the term ‘employee’ for the purposes of data protection regulation and what employee personal data processing activities are involved in the entire recruitment process.
Who is an Employee?
The GDPR applies to all personal data of prospective and former job applicants, current employees, former employees, agency staff, contractual staff, volunteers, and interns. The data of all these personnel falls within the purview of employee data processing or “data processing for employment purpose”.
Employee Personal Data Processing during Recruitment
For recruitments to be successful, employers attempt to access and accumulate as much personal information possible to ensure prospective applicants are the best fit. They collect data through a series of data processing activities such as resumes, background checks, interviews, social media activity, references, and so forth. As this function falls within the purview of the GDPR, the Information Commissioner’s Office (ICO), the United Kingdom’s data regulatory body, has issued the Employment Practices Code for comprehensive guidance on acceptable data processing activities pertaining to various HR functions. The objective behind regulating recruitment functions is to enforce a balance between HR’s personal data needs and job applicant’s right to privacy.
During recruiting and vetting, the human resources department may choose to access social media profiles of job applicants to conduct background checks. To this end the ICO’s Employment Practices Code cautions against the use of social media profiles for background checks and vetting purposes because it can result in potential data breaches as well as access to special categories of data proscribed under Article 9 of the GDPR (pertaining to age, disability, race, ethnicity, marital status, sexual orientation, etc.). Handling of special categories of data requires “explicit consent” under the GDPR.
Article 9 of the GDPR prohibits the processing of “special categories of personal data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs or trade union memberships, and the processing of genetic data, biometric data, data concerning health” except in those circumstances were “processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…in so far as it is authorized by Union or Member State law.”
The recruitment process also entails vetting and checking for criminal background of prospective employees. The ICO’s Employment Practices Code indicates, “vetting should only be used where there are particular and significant risks involved to the employer, clients, customers or others and where there is no less intrusive and reasonably practicable alternative.” This is an intrusive process and employers have to proceed in compliance with Articles 9 and 10 of the GDPR.
Article 10 addressed the processing of personal data relating to criminal convictions and offences. Per its requirements, the collection and processing of data pertaining to convictions and offences can only be undertaken “under the control of official authority or when the processing is authorized by the Union of Member State law.” Thus, employers have to ensure any background checks into criminal history of potential candidates is in accordance with the regulations in force in the various jurisdictions of Member States because any non-compliant processing will invite financial sanctions.
The first contentious aspect about this function with respect to data protection is the requirement HR recruiters comply with the GDPR while accessing personal data of employees even if it is publicly available. Hence, employers much have a justifiable legal basis for collecting data from social media profiles during background checks.
Secondly, employees – current, former, and potential – have the right to request access to the personal data being processed by HR functionaries. Information and personal data collected during the recruitment and selection process on prospective job applicants may become subject to an access request by a job applicant. HR recruitment policies have to create response mechanisms to those requests or merge them with the policies regulating subject access requests of current employees.
Thirdly, the recruitment process often involves third-party services. Employers will have to ensure these third-parties are GDPR certified and handle employee personal data in a GDPR compliant manner.
Fourthly, vetting can provide employers with inadvertent access to sensitive personal data for which the regulation demands “explicit consent”. Such access and processing becomes a ‘high risk’ activity because it violates privacy.
Finally, applicants have a right to refuse automated-decision making on their behalf, and employers/recruiters have to consider conducting the function without reliance on automated profiling techniques or devise robust consent mechanisms to safeguard their candidates’ rights.
It is recommended that HR leaders, managers, and recruiters reference the Employment Practices Code for detailed checklists on acceptable recruitment practices that are compliant with the GDPR.
Steps and Solutions
- Inform job applicants of the personal data HR is processing, where that data is retained, and who has access to that data especially in the event of data transfers.
- Customize job applications so they justify the personal data being collected. This entails removing extraneous questions and streamlining the personal data collection process.
- Consider if social media profiles are made for employment purposes. If not, we need to be careful if we rely upon them even if they are publicly accessible
- Job advertisements should be transparent on information sources used for data collection, especially where third-party recruitment agencies are employed. Issue ‘fair processing notice’ to prospective candidates.
- For sensitive personal data and special categories of personal data, assess relevance of personal data collection, remove excessive questions, ensure purpose for sensitive personal data collection is adequately explained.
- Notify job applicants in the event of disclosure or transfer of personal data and seek their explicit consent to do so.
- Create recruitment policy parameters for vetting and background checks. Identify the situations and circumstances in which intrusive measures are necessary and develop justification for them.
- Conduct a data protection impact assessment on the recruitment policy to identify associated data protection risks on a regular basisand adopt course-correction recommendations.
Advisory to CRIS
Co-founder & CEO, CyberImmersions Solutions
The ideas, view and opinions expressed above are those of the author and do not necessarily reflect the opinions or official position of any agency, organization, employer, or company. The views expressed are for informational purposes only. They are not intended to constitute legal advice. For legal reliance on GDPR compliance, please consult your attorney.