Data Protection: the use of the Internet to vet employees or job applicants

According to a new proposed German law, it will soon become unlawful for employers in Germany to look at their Facebook profiles of prospective employees.

Given that use of the Internet to vet job applicants appears to be on the increase, it might be useful to summarise the application of the current UK data protection law, should an employer search the Internet for details of a “data subject” whether that data subject be a current employee or prospective employee.

As with most processing, the Data Protection Act does not make such Internet searches unlawful; however, the processing has to conform to the Principles in the Act. Hence, the purpose is blog is twofold: one is to inform employers of the data protection risks; the second is to identify how the Principles could protect the interests of individuals.

If an employer were to place an individual’s name into a search engine for an employment purpose then the focus rests on three data protection principles:

• the First Data Protection Principle in relation to fair processing and in respect of the legitimising of the processing of personal data (i.e. the employer’s choice of Schedule 2 criteria)

• the Third Data Protection Principle in relation to relevance of personal data to the employment purpose

• the Sixth Data Protection Principle in relation to the data subject right of access to personal data and the right to object to the processing; criminal offences might apply to public sector employers if there is a refusal to provide access.

The fair processing element of the First Principle is aimed at making sure, subject to an exemption, that the processing (e.g. the collection or use of personal data from the Internet) is transparent to each and every data subject. This is usually takes the form of a Fair Processing Notice which should be familiar to most readers.

Transparent use of the Internet is implicit in the Information Commissioner’s “Employment Practices Code” (see references). He says that during a recruitment process, employers should: "Explain the nature of and sources from which information might be obtained about the applicant in addition to the information supplied directly by the applicant". In other words, employers should state whether or not they browse the Internet to find out details about their prospective employees.

So if an employer states on a public information notice (such as a Fair Processing Notice) that he checks details on the Internet, then he should also anticipate that he might have to explain “What details?” in connection with “What jobs?”.

The “collection” or “use” of personal details from the Internet about a data subject are both “processing” operations and the First Principle requires that all such processing to be legitimised by a Schedule 2 criteria. “Data Subject consent” is one possible criterion but has real problems in the employer-employee context.

“Consent” (as defined in Directive 95/46/EC) has to be freely given, fully informed and contain an indication of the data subject’s wishes (e.g. the search has been agreed by the data subject). It might be difficult for an employer to argue that “consent” of an individual was “freely given” if the choice place before that individual was: “if you do not consent we won’t consider you for the job”.

Other Schedule 2 criteria can apply (e.g. “necessary” in terms of an employment contract or “necessary” for a legitimate interest of the employer), but this requires the collection or use of personal data to be “necessary”. The point being made is that word “necessary” does not mean “convenient” or “useful”; this in turn means the employer should be prepared to demonstrate why any personal data collected (or used) from the Internet is “necessary” in the context of the employment on offer.

For example, I think an employer would be able to defend the position that, in some cases, it was “necessary” to search the Internet to see if the information provided by the data subject was valid (e.g. about claimed qualifications etc). However, applying the “necessity” test in relation to personal-lifestyle details such as those found on Facebook is more problematic. That is why in the context of fair processing, an employer who uses Facebook-type personal data is likely to be obliged to reveal this fact to the job applicant (and in some cases, a summary of the product of any search).

Any “necessity” obligation of the First Principle is reinforced by the requirements of the Third Data Protection Principle: that the personal data collected (or used) have to be adequate, relevant and not excessive in relation to the employment purpose. So are the personal data obtained from the Internet “relevant” to the job on offer? How do you know whether you have the right data subject? For instance, if you search “Chris Pounder photo” on Google, how do you know which one is me? (I am the attractive youthful one, I hasten to add).

This “relevance” point applies even if the data subject has posted confidential or even Sensitive Personal Data about himself. The fact that something has been placed in the public domain – even by the individual concerned - does not mean that the personal data become automatically “relevant” for the employment purpose – or even “necessary” in terms of Schedule 2. Also, the use of inaccurate personal data or out-of-date personal data from the Internet (the preserve of the Fourth Principle) would be difficult to justify in terms of “relevance”.

The Sixth Principle issue relates to the right of access to personal data collected from the Internet and the possibility of engaging the right to object to the processing (i.e. to the data collection or use). If the data subject knows about the use of the Internet, any employer should expect such rights to be exercised – especially if someone has been turned down for a job and the rejection process involved web-based tittle-tattle. Public sector employers who delete personal data because there has been a request for access to personal data could commit a criminal offence (see section 77 of FOIA).

Of course some employers might keep such background Internet searches secret. However, somewhere down the line there will be a slip. A employer, faced with the product of evaluating an Internet search, might ask a harmless interview question like: “was it really you in that clip displayed on YouTube?”.

This will tell the data subject all he needs to know to make a complaint to the Commissioner in terms of the Principles mentioned above. Given that the Commissioner can now fine data controllers, an employer who adopted a policy of deliberate and secret internet searching is taking a risk – especially given the Commissioner’s advice (see above).

Finally, if employers are undertaking Internet searches, the most obvious counter-measure is for individuals to arrange for some misinformation to become available. For example, as soon as a job application goes off, some applicants might arrange for friends to post a number of helpful comments.

For instance: “Hi Chris. I have met your boss in the street and he mentioned your brilliant handling of that awkward customer”; or “When you go to the weekly confessional at St Saviour’s Church, what do you say to the Priest as not everyone can be as honest, loyal, hard-working, punctual and reliable as you?”.

At the very least, this kind of detail could help me get an interview. It is also the type of information that would encourage the employer to ask the question that would reveal he was searching the Internet.

References: The “Employment Practices Code” can be found on:  http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/employment_practices_code.pdf.

Marketing: We have a Data Protection courses commencing in Manchester late September. Our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). We also have onsite courses on data protection and employee personal data. Details on www.amberhawk.com

Data Protection and surveillance: swopping the speed camera for ANPR?

When on holiday in the Dordogne two weeks ago (feels like two months now!), I picked up a Sunday Times newspaper which stated that the Government was reducing grant-funding for speed cameras. This was given the “thumbs-up” by the paper which reported that many motorists see such cameras as a tax first and a life-saver second.

Some speed cameras are already history. Conservative controlled Swindon Borough Council switched off its cameras in April this year, whilst a funding shortfall of £600,000 is causing Oxfordshire’s Road Safety Partnership to consider whether or not to shut down 72 of the county's speed cameras. Naturally, road-safety campaigners and some police officers are saying that this decision will ultimately cost lives.

So what has this to do with data protection and surveillance? Answer: the Sunday Times report omitted that the speed camera removal policy is likely to result in the installation of more “average speed cameras” which depend on Automated Number Plate Reading (ANPR) technology.

I am sure you have met these “average speed cameras” on many of our main trunk roads, usually where there are speed restrictions caused by road-works. All they do is record your car number plate and the time it takes to pass between two cameras. If your vehicle takes below a pre-calculated time difference, you must have been speeding; hey presto, a nice letter inviting a “contribution to the Exchequer” arrives in the post the following week.

ANPR technology uses the fact that the surface of vehicle number plates, except for the lettering, is covered in tiny inverted hemispheres that cause any light radiation to be reflected back to the source. Infra red radiation is used (e.g. so cameras can avoid interference from ordinary light) and this allows ANPR cameras to be used 24/7.  There has to be an infrared source adjacent to the camera to illuminate the image and the system is completed by processing technology that converts the reflected image to usable code which can be transmitted to other computers. (Relax - physics lesson is over!).

If a vehicle number plate data is then linked to identity of the registered vehicle keeper (or other possible driver) then the data are personal data and the Data Protection Act becomes engaged.

ANPR surveillance arises as the personal data can be cross-checked in real-time against databases, including the Police National Computer, the DVLA databases, uninsured drivers, and police intelligence records, both locally and regionally, to identify vehicles of interest. If a registration plate is flagged up on a database, the system alerts the operator with both a visual and audible signal, providing details of which database has triggered a hit. The ANPR operator could then call for officers to intercept the vehicle and question the driver.

According to Kable (Feb 2010) “the police have more than 10,000 ANPR cameras” and that “forces in England and Wales are passing up to 14 million reads per day from automatic numberplate recognition cameras to a national database”. Kable also report that “6,600 ANPR units run by the Highways Agency and Traffic master but these do not transmit full number plates, as they are used to calculate the speed of traffic over sections of road”.

According to a Devon and Cornwall Police document (see references), the police can use recorded ANPR records for any general police inquiry for 90 days but after 90 days there is restricted access. The normal retention period of ANPR data on camera hits is 2 years but this might increase be 5 years when sent to the National ANPR data centre which currently holds over 7.6 billion read records. If there is a “hit” with another police database, it’s 6 year retention.

Security Service access to these personal data at the ANPR data centre can be assumed to be on demand, and one can also assume the use of sophisticated searching tools to extract intelligence. It is a prime example of the previous Government’s database state-surveillance which is subject to very little oversight. The wide national security exemption (S.28) effectively excludes oversight from the Information Commissioner, and the Surveillance Commissioner has no remit because overt use of ANPR (or any related database) is not covert or directed surveillance as defined by RIPA. See also the blog of 6th October 2009, where I discuss the streaming of ANPR images from Transport for London cameras to the national security agencies.

ANPR technology like CCTV will become ubiquitous and already CCTV installers are making quotes such as: “ANPR is probably the next growth product to take off in the UK, and the world; in fact, it is already beginning to be the biggest potential earner for installation companies”

So there you have it. I think that as more speed cameras are removed, more and more accidents will occur. Over time, there will be increased public pressure to do something to counter the rising accident rate and ANPR installations (which only need a few cameras) will be the technological fix of choice.

In this way, specific surveillance of an accident black spot by a speed camera (which only captures the image of speeding cars breaking the law) is replaced by general surveillance of all vehicles passing the cameras (where records of date, time, driver details, location are all retained for possibly up to 5 years). Perhaps privacy advocates who are against ANPR should start having public love-ins with privacy-friendly speed cameras near their home?

To be serious for a moment, the Government has promised forthcoming legislation on CCTV and this legislation will also apply to ANPR. The legislation will determine, by law, the use and retention of CCTV/ANPR images.

In "Nine principles for assessing whether privacy is protected in a surveillance society” (see references), I argue that the use of legislation in this way can undermine the Data Protection Act. This is because when legislation dictates that CCTV can be installed for purpose X, and the images can be retained for Y Years and disclosed to person Z, then use X, retention Y and disclosure Z all become lawful processing operations.

Additionally, the Information Commissioner has no effective power to regulate these processing operations – this is especially the case if he continues to be reluctant to use his powers in relation to lawful processing (see blog of 20th April 2010: “Information Commissioner should enforce Article 8 privacy rights”).

In other words, the text of the forthcoming CCTV legislation will be an early test of this Government’s claim that it intends to redress the balance between state surveillance and individual privacy.

References: Kable on ANPR: http://www.kable.co.uk/national-anpr-data-centre-police-acpo-03feb10.ANPR retention: http://www.devon-cornwall.police.uk/YourRightInformation/FreedomInformation/Policies/D198.pdf. Nine Principles document (two parts) on http://www.amberhawk.com/policydoc.asp.

Marketing: We have a Data Protection courses commencing in in Manchester late September. Our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). Update sessions (at £95+VAT is a snip). We also have onsite courses on RIPA and CCTV. Details on www.amberhawk.com

Data Protection: Who gets the Audit Commission’s privacy invasive powers?

The press coverage of last Friday’s unexpected announcement that the Audit Commission is to be abolished failed to mention a key data protection issue: who is going to inherit its data matching mantle? The answer is important because the Commission’s extensive, privacy-invasive, data matching powers were enacted by the last surveillance-addicted Government and extend well beyond a narrow benefit fraud remit.

Data matching involves comparing sets of personal data, such as the payroll or benefits records of a body, against other personal data held by the same or another public body to see how far they match. Bodies covered by these mandatory data matching arrangements (in Part 2A of the Audit Commission Act 1998) are local authorities, police authorities, probation authorities, fire and rescue authorities, pension authorities, NHS Trusts and strategic health authorities, primary care trusts, passenger transport authorities, national park authorities, and waste authorities.

Schedule 7 of the Serious Crime Act 2007 extended the range of organisations that could chose to be involved in data matching to any government department, housing association or private organisation. Additionally, that Act extended data matching from benefit fraud to include any of the Commission’s audit functions (e.g. efficiency of service delivery) and to debt recovery.

You can see now that these powers can cover most UK organisations and extend well beyond the purpose of benefit fraud - the purpose that gets all the publicity. No wonder the Coalition Government’s favoured partner in anti-benefit fraud, the Credit Reference Agencies, are licking their lips – especially if the purpose of data matching can also include debt recovery!

Who replaces the Audit Commission is important for another reason. The Commission is subject to a statutory data protection code of practice -  which is not perfect, but will be abolished with the Commission. The Department for Work and Pensions (DWP) has its own Data Matching Service, but that is limited to benefit fraud so it is unlikely that the DWP will want to get involved in data matching that does not relate to benefits.

The National Audit Office (NAO) could do the job but it does no data matching currently. So to merely transfer the Audit Commission’s data matching functions to the NAO will not save a penny and undermines the justification for the Commission’s abolition.

In other words, the absence of a credible replacement data controller is a concern and such powers should not be transferred for use by another organisation (e.g. a Credit Reference Agency) without proper debate or scrutiny.

Even with benefit fraud, all is not what it appears. David Cameron has been widely reported of stating that there is £5.2 billion of fraud, error and overpayment in the system (fraud being £1.2 billion). Not reported is the fact that these vast sums are inflated by a multiplier which is best explained by the Government’s own official research:

“These savings (from fraud) represent notional rather than actual amounts of money saved since the weekly benefit of someone who is caught committing fraud is multiplied by 32. The multiplier reflects the time that the Benefits Agency assumes that someone would have carried on defrauding them if they had not been caught” (see references)

Even the Audit Commission scales up its fraud-recovery effectiveness. The latest Annual Report of its anti-fraud activities states that the identified "£24 million" of detected benefit fraud is a number that has been “multiplied by 13”. Its pension fraud figure of £28 million saved from Local Authority Pension Schemes uses a multiplier arrived at by a “Cabinet Office formula”. This formula scales up the actual detected fraud by “the number of years the pensioner would have reached 90” (which is surprising given life expectancy in the UK is currently about 80 years).

The use of multipliers could very well be legitimate – I don’t know. But to quote figures in press releases and public statements without any indication that a multiplier has been used (or its value) is in my view, wholly misleading. For instance, it simply beggars belief that the Cabinet Office multiplier is reliable in connection with the true rate of pension fraud.

Also, the National Audit Office in 2008 estimated that benefit fraud represents 0.6% of the cost of the total benefit system (£0.8 billion) and this figure was falling year on year because of anti-fraud data matching activities. By contrast, more than twice the amount lost (about £1.9 billion) related to inaccurate personal data. This 2:5 ratio is also in the Prime Minister's numbers (see above) and suggests that resolving the data inaccuracies in the system is more than twice as important than those headline-catching benefit fraud initiatives.

No one is saying that data matching should not occur to counter fraud in the benefit system. However, there needs to be prior justification for the use wide ranging invasive powers, especially if they are to involve Credit Reference Agencies. There needs to be thorough examination and analysis with the measurement of outcomes to ensure the powers are needed and work effectively. There also needs appropriate checks and balances to ensure that when things go wrong, there is proper redress.

Additionally benefit fraud savings, when announced, have to be credible – I fear the numbers being bandied about at the moment are inflated for political purposes.

Finally, the data matching powers granted to the Audit Commission were enacted by the last Government who raised two fingers to anybody who expressed issues like those mentioned in the paragraphs above. It would be disappointing if the Coalition Government were to traverse the same path.

References: Page 21 of the DWP Benefit Fraud Research: http://research.dwp.gov.uk/asd/asd5/rrep064_first-half.pdf (This is old research but it is the only reference to the current estimated multiplier I could find).

Audit Commission National Fraud Initiative Annual Report: http://www.audit-commission.gov.uk/nfi/reports/pages/default.aspx (this reports the multipliers it uses in an Appendix).

The National Audit Office report on Benefit Fraud: http://www.nao.org.uk/publications/0708/progress_in_tackling_benefit_f.aspx (shows that data inaccuracy outweighs fraud)

Marketing:  We have a set of Data Protection courses (Edinburgh commencing in next week and in Manchester late September). Our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). Update sessions (at £95+VAT is a snip). We also have onsite courses on RIPA and CCTV. Details on www.amberhawk.com.

Swimming in the surveillance Poole: the real privacy problems with RIPA

Both opposition parties (now in power) before the General Election focussed on Local Authorities as the main abuser of Regulation of Investigatory Powers Act (RIPA) powers, and to some extent the Investigatory Powers Tribunal's recent decision re Poole Borough Council appears to reinforce that view (see references).

The Tribunal concluded that the Council’s procedures were at fault (they are in fact very sloppy), the surveillance was too extensive, and the purpose underpinning the surveillance operation uncertain. This was also accompanied by the fact that Poole had already decided to stop this surveillance practice - a prior admission of “guilt” if ever there was one.

However, many observers are missing the obvious and freely criticise the Council. Instead, I would argue that the Poole Borough Council case is a symptom of a far deeper malaise and that the real problem is an appalling system of regulation which the previous Government established (the Office of the Surveillance Commissioner – OSC). In short, it is the absence of effective checks and balances to the misuse of self-authorising, wide ranging, surveillance powers that allows “Poole-type” practices to flourish.

First to the facts surrounding Poole’s use of RIPA powers. The Council, like most Local Authorities, have some very oversubscribed schools. It was tipped off (twice) that two parents (Ms Paton, her partner identified as C2 in the Tribunal Decision) and their three children (aged 10, 8 and 3 - identified as C3, C4 and C5) were trying to secure a place for their youngest child (C5) at a popular school by providing false details. Child C4 was already enrolled at the school and C3 had attended that school throughout his primary school career.

Despite a sibling already at the primary school (usually an important factor in primary schools admissions policy), Poole decided to check the allegations, especially as the mother and her partner owned two properties, one of which was in the catchment area of the school and the other wasn’t. Given the sibling rule, it is reasonable to assume that Poole was also thinking of removing child C4 as well as denying C5 a place, something not emphasised in the Tribunal adjudication.

So how should Poole resolve the issue of: “which property are the family living in?”.  Poole’s answer to this dilemma was to authorise itself to undertake directed surveillance on all the family members for 22 days prior to any meeting with any parent?

You don’t need to go any further to identify the problems in Poole’s approach. Do you really need 22 days surveillance to answer a trivial “domestic” question when you can ask the parents/guardians to prove residence?

Do you really need to seek a directed surveillance authorisation that refers to monitoring a 3 year old (assuming C5 is not a species of “feral toddler” on the verge of getting an ASBO)?

Do you need to use surveillance powers associated with criminal activity when it is very uncertain that a crime can actually be committed (and where one can be very certain that the children are not committing any crime!).

These are the kinds of issues that the Tribunal considered (under the guise of "proportionality" and "necessity") and Poole, not unsurprisingly, lost its case, hands-down.  So who should shoulder the blame? Are you sure it is Poole Borough Council? Or somebody else?

The first comment to make is that the Surveillance Commissioner does not have the power to do much other than raise problems in Annual Reports – and he has being doing this for years.  In his 2007/8 Annual Report, for example, the Surveillance Commissioner stated that local authorities “have a tendency to expose lack of understanding of the legislation by completing documentation poorly”. He added “In particular there is a serious misunderstanding of the concept of proportionality" (paragraph 9.2)

In his 2008-9 Annual Report he says that most Local Authorities do not train their staff properly about RIPA powers:

“In many authorities where executive officers, legal advisers or motivated individuals show an interest in the legislation, and where there is investment in practical training for authorising officers as well as awareness education for potential applicants, there is a high standard of compliance. The performance of these authorities sets the benchmark, but they are not yet in the majority” (my emphasis from Section 9 of the 2008-9 Report)

In this report under the heading “Common causes of error” he states that the areas that have received the most criticism on inspection include:

• “a continuing failure on the part of Authorising Officers properly to demonstrate that less intrusive methods have been considered and why they have been discounted in favour of the tactic selected";
• "the failure of Authorising Officers, when cancelling authorisations, to give directions for the management and storage of the product of the surveillance";
• "Authorising Officers not knowing the capability of the surveillance equipment which they are authorising", and
• "Poor internal audit by senior management”.

For good measure the 2009/10 report continued the theme and states: “I am concerned that some applicants and authorising officers in public authorities other than law enforcement agencies claim to be unaware of OSC Guidance”, and noted that Local Authorities like Poole are inspected by the OSC for one day every three years. Less than 1 in a 1000 chance of a visit - hardly a risk!

(By the way, this is an improvement on the Northern Ireland position identified in the 2007/8 report: “I have not inspected the Local Authorities in Northern Ireland as I have not been given the power to do so. I note that these authorities have never been inspected”). Earlier reports from the Commissioner also raised similar issues re lack of training and poor management.

Now look at the cost of the system of regulation at the OSC. Excluding its other regulatory responsibilities, the 2009/10 Report identified 23,762 directed surveillance operations. Since there are about 15 operational OSC staff, that is a work load of 1,600 directed surveillance operations per person each per year so each staff member has about a half dozen new ones per working day to consider (if they indeed they are considered).

The cost of the OSC in 2009/10 was £1,585,000 (I have excluded a £150K office move). This means the cost of regulation for each directed surveillance operation is about £67 each. Now compare that £67 spent on reporting on the status of “privacy protection” with the cost of the 22 days of effort expended at Poole on surveillance? What conclusion do you draw?

Now to be clear, I am not getting at the OSC staff – they are hard working and not to blame. Evey day, they have to play a hand of poker where the only cards they are dealt are seven-deuce in different suits.

Under RIPA most surveillance is undertaken by bodies that report to the Home Office. RIPA is Home Office legislation where rules, Codes of Practice and secondary regulations are all established by a Home Secretary and his law enforcement advisors. The Regulator is appointed by the Prime Minister who is also responsible for surveillance policy. Parliament has little role other than to receive the OSC’s Annual Report, once the Prime Minister has had the chance to remove anything he does not like.

Quite simply, what has happened is this: the Department of State responsible for designing a system of privacy protection has produced one that has minimal interference with its functions with respect to surveillance. Is anyone surprised by that?

However one can recognise the systemic error: to have the same body creating the system of protective regulation as well as wanting a system of surveillance. This doesn't work because there is an unresolveable internal conflict that inevitably creates weak regulators - like those who cannot enforce proper rules of protection but can huff and puff in largely unread Annual Reports. The solution is also apparant: to have a system of privacy protection produced independently from those in charge of the surveillance policy.

In short, the problem is that previous Government built a weak system of regulation designed not to rock its surveillance boat. And in such circumstances, it is not surprising that the outcome is RIPA cases like that at Poole Borough Council.

If Poole type cases can't rock the boat, nothing will - and that is why the whole system of privacy protection under RIPA has to be taken away from the Home Office and the Government of the day.

References: Annual Reports of the OSC from http://www.surveillancecommissioners.gov.uk/about_annual.html.
Tribunal Decision from http://www.poole.gov.uk/news/ref:N4C56ACFE8ACC1 (top right). It will appear eventually on http://www.ipt-uk.com/default.asp?sectionID=17

Marketing:  We have a set of Data Protection courses (Edinburgh commencing in late August and in Manchester late September). Our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). Update sessions (at £95+VAT is a snip). We also have onsite courses on RIPA and CCTV. Details on www.amberhawk.com.