According to a new proposed German law, it will soon become unlawful for employers in Germany to look at their Facebook profiles of prospective employees.
Given that use of the Internet to vet job applicants appears to be on the increase, it might be useful to summarise the application of the current UK data protection law, should an employer search the Internet for details of a “data subject” whether that data subject be a current employee or prospective employee.
As with most processing, the Data Protection Act does not make such Internet searches unlawful; however, the processing has to conform to the Principles in the Act. Hence, the purpose is blog is twofold: one is to inform employers of the data protection risks; the second is to identify how the Principles could protect the interests of individuals.
If an employer were to place an individual’s name into a search engine for an employment purpose then the focus rests on three data protection principles:
• the First Data Protection Principle in relation to fair processing and in respect of the legitimising of the processing of personal data (i.e. the employer’s choice of Schedule 2 criteria)
• the Third Data Protection Principle in relation to relevance of personal data to the employment purpose
• the Sixth Data Protection Principle in relation to the data subject right of access to personal data and the right to object to the processing; criminal offences might apply to public sector employers if there is a refusal to provide access.
The fair processing element of the First Principle is aimed at making sure, subject to an exemption, that the processing (e.g. the collection or use of personal data from the Internet) is transparent to each and every data subject. This is usually takes the form of a Fair Processing Notice which should be familiar to most readers.
Transparent use of the Internet is implicit in the Information Commissioner’s “Employment Practices Code” (see references). He says that during a recruitment process, employers should: "Explain the nature of and sources from which information might be obtained about the applicant in addition to the information supplied directly by the applicant". In other words, employers should state whether or not they browse the Internet to find out details about their prospective employees.
So if an employer states on a public information notice (such as a Fair Processing Notice) that he checks details on the Internet, then he should also anticipate that he might have to explain “What details?” in connection with “What jobs?”.
The “collection” or “use” of personal details from the Internet about a data subject are both “processing” operations and the First Principle requires that all such processing to be legitimised by a Schedule 2 criteria. “Data Subject consent” is one possible criterion but has real problems in the employer-employee context.
“Consent” (as defined in Directive 95/46/EC) has to be freely given, fully informed and contain an indication of the data subject’s wishes (e.g. the search has been agreed by the data subject). It might be difficult for an employer to argue that “consent” of an individual was “freely given” if the choice place before that individual was: “if you do not consent we won’t consider you for the job”.
Other Schedule 2 criteria can apply (e.g. “necessary” in terms of an employment contract or “necessary” for a legitimate interest of the employer), but this requires the collection or use of personal data to be “necessary”. The point being made is that word “necessary” does not mean “convenient” or “useful”; this in turn means the employer should be prepared to demonstrate why any personal data collected (or used) from the Internet is “necessary” in the context of the employment on offer.
For example, I think an employer would be able to defend the position that, in some cases, it was “necessary” to search the Internet to see if the information provided by the data subject was valid (e.g. about claimed qualifications etc). However, applying the “necessity” test in relation to personal-lifestyle details such as those found on Facebook is more problematic. That is why in the context of fair processing, an employer who uses Facebook-type personal data is likely to be obliged to reveal this fact to the job applicant (and in some cases, a summary of the product of any search).
Any “necessity” obligation of the First Principle is reinforced by the requirements of the Third Data Protection Principle: that the personal data collected (or used) have to be adequate, relevant and not excessive in relation to the employment purpose. So are the personal data obtained from the Internet “relevant” to the job on offer? How do you know whether you have the right data subject? For instance, if you search “Chris Pounder photo” on Google, how do you know which one is me? (I am the attractive youthful one, I hasten to add).
This “relevance” point applies even if the data subject has posted confidential or even Sensitive Personal Data about himself. The fact that something has been placed in the public domain – even by the individual concerned - does not mean that the personal data become automatically “relevant” for the employment purpose – or even “necessary” in terms of Schedule 2. Also, the use of inaccurate personal data or out-of-date personal data from the Internet (the preserve of the Fourth Principle) would be difficult to justify in terms of “relevance”.
The Sixth Principle issue relates to the right of access to personal data collected from the Internet and the possibility of engaging the right to object to the processing (i.e. to the data collection or use). If the data subject knows about the use of the Internet, any employer should expect such rights to be exercised – especially if someone has been turned down for a job and the rejection process involved web-based tittle-tattle. Public sector employers who delete personal data because there has been a request for access to personal data could commit a criminal offence (see section 77 of FOIA).
Of course some employers might keep such background Internet searches secret. However, somewhere down the line there will be a slip. A employer, faced with the product of evaluating an Internet search, might ask a harmless interview question like: “was it really you in that clip displayed on YouTube?”.
This will tell the data subject all he needs to know to make a complaint to the Commissioner in terms of the Principles mentioned above. Given that the Commissioner can now fine data controllers, an employer who adopted a policy of deliberate and secret internet searching is taking a risk – especially given the Commissioner’s advice (see above).
Finally, if employers are undertaking Internet searches, the most obvious counter-measure is for individuals to arrange for some misinformation to become available. For example, as soon as a job application goes off, some applicants might arrange for friends to post a number of helpful comments.
For instance: “Hi Chris. I have met your boss in the street and he mentioned your brilliant handling of that awkward customer”; or “When you go to the weekly confessional at St Saviour’s Church, what do you say to the Priest as not everyone can be as honest, loyal, hard-working, punctual and reliable as you?”.
At the very least, this kind of detail could help me get an interview. It is also the type of information that would encourage the employer to ask the question that would reveal he was searching the Internet.
References: The “Employment Practices Code” can be found on: http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/employment_practices_code.pdf.
Marketing: We have a Data Protection courses commencing in Manchester late September. Our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). We also have onsite courses on data protection and employee personal data. Details on www.amberhawk.com