As part of our mini-series of articles on recruitment this month, in this article we explore some of the issues which can arise when employers wish to vet the candidates who apply to them, before they offer them a role.
With vastly increased access to personal information and backgrounds available on the internet, employers might be tempted to include a Google search or check of a Facebook profile.
Such searches would amount to data processing under data protection rules. In order to safely do so, an employer would need be able to point to one of the legitimate grounds for processing such personal data.
For the ‘legitimate interest’ ground to be satisfied, an employer must demonstrate that it has balanced its need to process the information against the interests and fundamental rights of the prospective recruit. Accordingly, the employer would need to be able to justify the types of searches and why they were legitimate to carry out in the context of the job in question. The key question recruiting employers should ask themselves is: “is the information being searched for relevant to a function specific to the role?” For example: is the person going to be working closely with children and young people and therefore are they likely to be subject to increased scrutiny via social media? In such a case, it may be possible to for a recruiting employer to justify checking that a candidate’s social media profile reveals no entries of concern to the safety of children.
Employers must also give candidates fair notice that their data could be collected and processed in this way as part of the recruitment process. Including information about potential searches in the job advert or in a Privacy Notice might constitute fair notice. Whether the candidate had a reasonable expectation that their data could be processed for these purposes could also help to justify such a search by an employer. For example, an individual is likely to have a reasonable expectation that their LinkedIn profile will be checked by a potential employer due to its purpose for business networking. However, searching candidates’ Facebook and Instagram accounts is less likely to be reasonable, depending on the nature of the role and whether the employer had made it clear in their job advert that this might take place.
What are the risks (if you get it wrong)?
- Breach of data protection legislation: Candidates may seek to sue the employer for breach of their data rights, although they would have to prove they had suffered loss or damage. A candidate could also report the employer to the Information Commissioner’s Office (‘ICO’) for breaching data protection laws and their data rights. The ICO has the ability to impose hefty fines for such breaches.
An employer faced with a data breach investigation by the ICO may be able to defend its position if it can provide evidence that it careful assessed whether it was appropriate in the circumstances to process such data. Such an assessment is known more formally as a Data Protection Impact Assessment (‘DPIA’).
- Discrimination: The way in which the searches are carried out, as well as way the information is relied upon to make decisions, must not be discriminatory. The key is for employers to be consistent in they way they carry out searches. This lowers the risk of inadvertently treating those with a protected characteristic less favourably than others and opening the employer up to claims under the Equality Act 2010.
- Victimisation: Employers should be very cautious if a search reveals a previous Employment Tribunal case brought by the candidate (and judgments are now published online). If the claim brought was one of discrimination and the recruiting employer relied on the fact the candidate had brought such a claim to refuse them a job, this could lead to a claim against the recruiting employer for victimisation.
- Criminal convictions: Recruiting employers should be aware that it is generally unlawful to rely on information which reveals spent convictions to deny someone a job. There are some limited exceptions, however, if the candidate and the role falls within the scope of the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975. For example, where the candidate would be involved in the teaching, supervising or training of persons aged under 18, or where they work in the Prison and Probation Services.
Vetting candidates to ensure that they are the right person for the job is a key part of the recruitment process. However, the extent to which employers can search for information about a candidate on the internet is limited by data protection laws and the protection against discrimination and victimisation. Recruiting employers should be wary of these potential pitfalls and implement practical steps to avoid them. Having a clear recruitment policy which takes in the points set out above and effective training on it for recruiters is a sensible first step, as is having a Privacy Notice to give to candidates which reflects the types of searches which an employer will need to carry out.