On-line job applications in the UK should be encrypted

The publication is the first of four parts of The Employment Practices Data Protection Code and it covers the areas of recruitment and selection. The Code is not legally binding in itself; but because it indicates how the Information Commissioner will interpret the wording of the Data Protection Act of 1998, which is legally binding, it should be followed by employers.

It gives guidance on when it is and is not appropriate to store certain data on employees, such as membership of trade unions and a checklist for procedures to follow in advertising jobs, handling applications and interviewing. It also addresses the destruction of personal data contained in applications.

Among the recommendations of the checklist, employers are told to “provide a secure method for sending applications.” It explains that employers should, “Ensure that a secure method of transmission is used for sending applications on-line (e.g. encryption-based software.”

No further guidance is given on the level of security required or the nature of the encryption. Struan Robertson, editor of OUT-LAW.COM, commented:

“It is likely that a business could comply with this by hosting on-line recruitment forms on a secure system. One way of doing this could be to use HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) to protect the information in the web pages. An alternative would be for recruiters to offer a public key which the applicant can use to encrypt his transmission.”

“The latter approach may be less attractive although it can offer a greater level of security. The problem for many businesses is that use of public/private key cryptography is still in its infancy and a lack of understanding may scare away potential applicants.”

HTTPS systems are common in e-commerce sites. The page on which credit card numbers are entered will usually have a URL which begins with https:// instead of http://. When the customer has entered his card details and clicked the “submit” button on the page, his browser’s HTTPS layer encrypts the information. The acknowledgement returned by the seller’s server will also travel in encrypted form, arrive with an https:// URL, and be decrypted for the customer by his browser.

The Code’s Checklist also states that once electronic applications are received, the employer must ensure that “they are saved in a directory or drive which has access limited to those involved in the recruitment process.”

The Checklist goes on to advise employers to assess who in the organisation possesses the recruitment information and to “inform them that electronic files should be kept securely, for example by using passwords and other technical security measures.”

The second part of the Code, dealing with employment records, will be published in April. The third part (monitoring at work) and fourth (medical information) are due to follow at monthly intervals thereafter.

The Code and additional notes can be downloaded from the Information Commissioner’s web site.