Published December 2013
We have noted a growing trend in employers making use of employee background checks as part of the recruitment process. Employers must consider the obvious commercial benefits of this in the context of Data Protection legislation.
We also look at the impact of the new Code of Practice which the Information Commissioner has published in relation to Data Subject Access Requests (DSARs).
Under the Data Protection Act 1998, employers have data protection obligations in relation to personal data concerning:
- job applicants (successful and unsuccessful);
- employees and former employees;
- agency, contract and other casual workers; and
- in some circumstances, others such as volunteers and those on work experience.
Personal data is information about an individual from which that individual can be identified, which is held either electronically or in a filing system or other accessible record. Examples of personal data likely to be covered by the Data Protection Act include:
- details of an individual’s salary and bank account;
- e-mails where the individual is the subject;
- a manager’s notebook containing notes on named individuals;
- an individual’s personnel file;
- files relating to disciplinary and grievance proceedings;
- a set of completed application forms;
- information about a machine which records something about an employee (for example, productivity of the employee operating it);
- information collated about individuals for the purpose of business sale; and
- CCTV camera or swipe card records.
Examples of information unlikely to be covered by the Data Protection Act include:
- information on the entire workforce’s salary structure by grade where individuals are not named or identifiable;
- a report on the results of exit interviews where all responses are anonymised; and
- manual files that contain some information about employees but are not stored in an organised way (for example, they are not stored by name or reference to individuals).
Sensitive Personal Data
Employers must adopt extra caution when managing ‘sensitive personal data’. Sensitive personal data is personal data consisting of information about an individual’s:
- racial or ethnic origin;
- political opinions;
- religious beliefs or beliefs of a similar nature;
- trade union membership;
- physical or mental health; and/or
- sexual life.
The Eight Data Protection Principles
The Data Protection Act requires employers to process personal data in accordance with eight data protection principles:
1. Data must be processed fairly and lawfully
Importantly, fair processing requires individuals to be informed of the purpose for which data will be used. In addition, in order for data to be processed fairly and lawfully, at least one of the following conditions for processing must be satisfied:
a) the individual must consent to the processing;
b) the processing must be necessary for the legitimate interests of the employer;
c) the processing must be necessary for
compliance with any other legal obligation
to which the employer is subject; or
d) the processing must be necessary for the performance of any contract to which the individual is party.
In addition, in relation to ‘sensitive personal data’, more stringent conditions apply.
2. Data must only be processed for the purposes for which it is collected.
3. Data must be adequate, relevant and not excessive in relation to the purpose for which is processed.
4. Data must be accurate and, where necessary, kept up to date.
5. Data must not be kept for longer than is necessary.
6. Data must be processed in accordance with the rights of the individual.
7. Appropriate security measures must be taken to ensure that personal data is secure.
8. Data must not be transferred to other countries without adequate protection.
The principles of managing data protection are relevant in every aspect of handling employee data at every stage of the employment relationship. The implications are far reaching. Here, we focus on two hot topics:
In a number of sectors, we have seen an increasing number of employers carrying out pre-employment checks or screening on job applicants as part of the recruitment process. Certain checks are required by law or have become standard practice, for example, checks on:
- the right to work in the UK;
- authenticity of qualifications;
- fitness and health; and
Some employers, however, also undertake more controversial pre-employment checks such as:
- employment history checks;
- financial sanctions and credit reference checks;
- DBS checks (formerly CRB checks); and
- media and social media checks.
The Information Commissioner’s Employment Practices Code is careful to distinguish between ‘verification’ of employee data and pre-employment ‘vetting’. Verification involves checking the accuracy and authenticity of information provided by the job applicant. Vetting involves obtaining information about the job applicant from third parties.
The Information Commissioner discourages pre-employment vetting. The verification of information provided directly by the job applicant is far less intrusive of the job applicant’s privacy and is the preferred approach.
In the context of both verification and vetting procedures at the recruitment stage, employers must bear in mind the basic principles of data protection:
- job applicants must be informed early in the recruitment process that pre-employment verification or vetting checks will be made and how these will be made (especially where external sources will be used);
- verification and vetting of job applicant data should be limited to those job applicants who are to be offered employment;
- checks must be proportionate to the risks faced by
- an employer. Best practice is to identify a particular objective (e.g. safety of children or security of customer data) and ensure that only checks undertaken to meet those objectives are made;
- consent to verification and vetting checks should be obtained from the job applicant;
- employers must consider the reliability of third party information providers; and
- job applicants must always be offered an opportunity to comment on any third party information provided prior to any recruitment decision.
We recommend that employers obtain informed, clear and explicit written consent from individuals in relation to pre-employment checks. There are concerns that consent given in the context of recruitment or employment is not freely given. Accordingly, it is also important for employers to identify and assess the reasons for the checks and consider whether such checks are genuinely necessary and proportionate in any particular case. Ideally, the thought process should be doumented.
A standard policy to vet all new recruits is unlikely to be compliant with the Data Protection principles.
In the context of commercial contracts, it is increasingly a requirement of customers that employers confirm that pre-employment checks have been undertaken on individuals working on specific contracts or projects. The Employment Practices Code makes clear that such requirements will not release an employer from complying with obligations under the legislation. The employer must be satisfied that the customer’s requirements are also necessary and proportionate.
Data Subject Access Requests (DSARs)
Job applicants, employees and former employees have the right to request access to data held about them by an employer. We have noted a trend whereby individuals use these entitlements in the context of an employment dispute. Complying with such a request can be particularly cumbersome and time consuming.
Individuals have the right to:
- know whether personal data about them is being held or used;
- a description of the personal data or a copy of the personal data, the reasons it is being held or used and whether it will be shared;
- details of the source of the personal data; and
- information about any automated decisions made about them (for example, in relation to work performance).
Responding to a Data Subject Access Request
An employer must comply with a DSAR promptly and within 40 days of receipt of the request. However, the employer is not required to respond unless it has received from the individual: (a) a £10 fee; (b) evidence to confirm the identity of the individual; and (c) any information necessary to locate the information sought. The Information Commissioner has published a new Code of Practice on DSARs. The Code is the Information Commissioner’s interpretation of what the Data Protection Act requires in relation to DSARs. Its scope is not limited to employment practices.
The Code of Practice
The Code of Practice summarises the process that employers should follow when they receive a DSAR and provides detailed guidance and recommended best practice in relation to all aspects of dealing with such requests.
The Code clarifies that it will never be reasonable to deny access to requested information merely because responding to the request may be labour intensive or inconvenient. We have found the Code to provide particularly helpful clarification in two areas:
1. Retrieving information from electronic records.
The Code provides useful guidance in relation to emails, archived data, backed up data and deleted data. Where data is archived or backed up the Information Commissioner’s view is that it has been deliberately retained by the employer (for whatever reason) and so the employer is required to use the same search mechanisms and effort to retrieve data as would be used if it required the data for itself. The employer is entitled to ask the requester for context so as to enable a targeted search.
In relation to deleted data, the Information Commissioner recognises that it is difficult to be certain that information is permanently deleted from a computer system. If the employer’s intention is not to have access to deleted information then the employer is not required to engage expensive technical expertise to recreate or reconstitute the deleted data. For these purposes, emails deleted from a particular user’s email account will not be regarded as deleted data.
Employers should also be aware that emails and other information held by employees on personal devices may also fall within the scope of a DSAR if the employer is aware that employees are effectively processing data on the employer’s behalf on such devices (e.g. smart phones and home computers).
2. Dealing with other individuals’ data
Employers do not have to comply with a DSAR in so far as this would mean disclosing information about another individual, unless that other individual has consented to the disclosure or it is reasonable to comply with the DSAR without that person’s consent. A balancing exercise is required between the respective individuals’ data protection rights (on a case by case basis).
The Code recommends a three step approach:
Step 1: Does the request require the disclosure of information about third parties? The employer should consider whether information requested can be provided without including third party information, for example, by deleting names or editing documents.
Step 2: Has the third party individual consented?
Step 3: Would it be reasonable in all of the circumstances to disclose without consent? Factors to consider include:
- employer confidentiality;
- efforts to obtain consent; and
- refusal of consent.
Information Commissioner’s Checklist
The Code of Practice also includes a helpful 10-step simple checklist, which employers can use when they receive a DSAR. The checklist recommends that employers:
- identify whether a request should be considered as a DSAR;
- make sure that they have enough information to ascertain the individual’s identity;
- ask the individual, at an early stage, if more information is required to process the request;
- ensure that the individual has paid the fee;
- check whether they have the information that the individual is seeking;
- not change any of the records, even if they are inaccurate or embarrassing;
- check whether the records contain personal data about persons other than the individual;
- consider whether any of the exemptions apply (see overleaf);
- provide explanations of any complex terms or codes included in the response; and
- provide the response itself in a permanent form unless the individual agrees otherwise or doing so would be impossible or involve disproportionate effort.
The new Code of Practice reminds us that certain personal data is exempt from being disclosed pursuant to a DSAR. Exempt personal data includes, in particular;
- confidential references given by the employer;
- certain management information;
- information in relation to ongoing negotiations with the individual; and
- data covered by legal professional privilege.
Where an employer has failed to comply with the Data Protection Act in relation to a DSAR, the individual can contact the Information Commissioner. The Information Commissioner may undertake a compliance assessment and, if appropriate, serve an enforcement notice on the employer. Failure to comply with an enforcement notice is a criminal offence.
The Information Commissioner has a statutory power to impose a financial penalty on an organisation if satisfied that the organisation has committed a serious breach of the Data Protection Act.
Another option available to an individual is applying to the court requesting that the court orders the employer to comply with the DSAR. If an individual suffers damage because the employer has breached the Data Protection Act (including failing to comply with a DSAR) the individual may be entitled to compensation. It will be difficult for an employer to establish a defence (that all reasonable steps were taken in the circumstances) where an employer has failed to respond to a DSAR within the 40 day time limit or where the employer has not provided the individual with all of the information to which they were entitled.
In the recent case, Halliday v Creation Finance Limited, the Court of Appeal awarded compensation of £750 for distress to an individual as a result of a finance company’s failure to process his personal data in accordance with the Data Protection Act. Only limited compensation was awarded in this case on grounds that there was no malicious intent, it was a single episode based on a technical error and that there was limited evidence of distress. This case concerns a consumer transaction and is one of the first cases of its kind. The case highlights an opportunity for individuals to make similar claims in an employment context, where potential for distress is arguably much greater.
The Data Protection Act 1998 came into force well over a decade ago but management of data protection continues to be a hot topic, particularly as individuals become increasingly aware of their rights under the legislation.
We recommend that all employers train and appoint appropriate personnel to manage data protection issues and that employers also put in place policies and procedures in order to ensure effective management of such issues. Such steps are essential in being able to demonstrate compliance to the Information Commissioner and in avoiding disputes about compliance and potential liability.