When it comes recruitment, and vetting your prospective employees, are you adopting a blanket approach to background checks? Many employers are – it’s easier – but it is a mistake, and one we see made by many employers who struggle with the complex data protection laws that govern this area. Although it has been nearly three years since the GDPR came into force, pre-employment background checks continue to cause a problem for employers who often find themselves in breach of the data protection laws. It’s not for lack of information – the UK’s domestic legislation is the Data Protection Act 2018 which spells out clearly the conditions for lawful processing, and the ICO’s website has reams of guidance for employers, but it’s complex and it applies in different ways depending on the nature of the job and the personal circumstances of the individual applying for it.
We are covering this now because there is one key message we think will help, namely, that adopting a blanket approach to your pre-employment vetting is to be avoided. To explain why, data protection specialist Harriet Dwyer who joined me by video-link from Birmingham to discuss the issue.
Harriet Dwyer: “Yes, so employers that are thinking about undertaking background checks need to bear in mind that when they are doing so they are actually processing personal data and, as you are processing personal data, you really need to think about whether it's absolutely necessary to do so and if there is a lawful basis for doing it. The lawful bases are where there is a legitimate interest or a legal obligation. Sometimes consent can be relied on, but we do tend to advise clients not to rely on consent because it can be withdrawn as easily as it is given. We see a lot of clients coming to us in relation to background checks and suggesting that they're going to adopt a blanket approach. The problem with this is that where you've got, perhaps, five or six different background checks, and a whole range of different employees, the risk is that there won't then be a lawful basis in relation to each of those. For example, if you think about a credit background check, this might be appropriate in relation to employees that are based in the accounts department, or handling cash every day, but in relation to an employee that's based in a warehouse and perhaps just packing goods, a credit background check won't be proportionate and therefore it's going to be unlawful. So, what we tend to say to clients where they're thinking about undertaking background checks is to avoid a blanket approach and to think about completing a Data Protection Impact Assessment, a DPIA. A DPIA doesn't have to be completed in relation to all background checks but it really does help focus clients’ minds on whether the background check is absolutely necessary, if there's a lawful basis behind it and to also think about whether the individual's rights and freedoms outweigh those interests and, if they do, the background checks shouldn't be undertaken.”
Joe Glavina: “Harriet, what about criminal record checks which require even more from employers. How should you deal with those?”
Harriet Dwyer: “Yes, so the nature of criminal record background checks is that they are a lot more sensitive and intrusive and if a complaint is made in relation to such a check being carried out the ICO are going to really scrutinise an employer for this. Because of the nature of the type of check, as well, there are additional conditions to satisfy as well as establishing that there was a lawful basis for doing so. So, employers do really need to think about the different requirements involved and whether it really is necessary to carry out a criminal record check. In relation to recruitment, it's also really important that employers are transparent about the fact that a criminal record check might be undertaken, and they should not be too quick to undertake a criminal record check. It should only really be undertaken at the stage where an applicant is selected for a role.”
Joe Glavina: “What if employers get this wrong, Harriet? So, what’s the risk with taking a blanket approach?”
Harriet Dwyer: “Well, the risk with taking a blanket approach is firstly individuals are probably more likely to make a complaint to the ICO and the ICO are going to scrutinise an employer for doing so. They are going to be looking into the reasons why such a vast variety of background checks have been undertaken and that could definitely cause reputational damage for the business and could also lead to a breakdown in the employment relationship. The employer should also not rule out the possibility of enforcement action being taken by the ICO against them. So, the key message really is to avoid taking blanket approaches to background checks and to really think and focus on why a particular check is needed, and only doing it where there is a lawful basis.”
The ICO’s Employment Practices Code does have a section dealing with pre-employment checks, or verification as they call it. That’s in Part 1 of the Code which covers Recruitment and Selection. It’s worth pointing out that Code has not been updated since the Data Protection Act 2018 became law, but, as the ICO makes clear on the front page, whilst there may be some subtle differences between the guidance in the Code and what the 2018 says, the Code remains useful. We have put a link to that in the transcript of this programme.
- Link to Employment Practices Code
The employment practices code (ico.org.uk)