ICO publishes draft guidance on employment practices

The Information Commissioner's Office, the ICO, has published two new sets of draft guidance for employers and recruiters which explain how to comply with their data protection obligations arising from retention of employee data and staff recruitment procedures. Both sets of guidance are open for public consultation until 5 March 2024.

The guidance on employee records covers topics which include the types of data held by employers, selecting an appropriate lawful basis for retention purposes, working with employee consent, managing data retention periods and keeping all data accurate and up-to-date and, helpfully, it contains some useful checklists. 

The guidance on recruitment and selection is aimed at employers and businesses which carry out recruitment on behalf of employers, such as recruitment agencies. It explains how to process candidates' data fairly and lawfully and how to use automated decision making and profiling. It also covers security and data sharing requirements, and compliance with employee's rights as data subjects.

The ICO says it will also be releasing additional practical tools to accompany the guidance and to help support best data protection practice among employers and other recruiters.

So, let’s get a view on the guidance. Harriet Dwyer is a data protection specialist and earlier she joined me by phone from Birmingham to discuss it:

Harriet Dwyer: “I think what's important to note to begin with is that the two new consultation papers don't really introduce anything new in terms of data protection. What I found quite interesting on the recruitment paper is there's a specific section on the use of automated decision-making and profiling in the context of recruitment. This is something that is quite frequently used by employers and recruiters but, taking it back to basics, the GDPR does actually say the use of automated decision making and profiling where it has a significant effect, or legal effect, on an individual is actually prohibited. As I say, recruiters, employers, are using it within the recruitment exercise, so just because there is that prohibition doesn't mean it can't be used and, of course, there are some really good efficiencies and cost savings for employers in making use of technology. So, where employers and recruiters are using those technologies in their recruitment processes, it would definitely be great if they could pay attention to the guidance that the ICO are looking to issue, as it has some really helpful pointers and things that employers should be doing in order to comply with the data protection legislation. So, for example, it sets out that a data protection impact assessment must be completed, that the technology should be kept under review to ensure that there isn't any inherent bias or discrimination in the technology. Likewise, where it is used, individuals are able to challenge or object to its use and, again, keep a record of those challenges and objections to ensure that there isn't any inherent bias or discrimination in the processes that you're using.”

Joe Glavina: “Sticking with the recruitment guidance, Harriet, the ICO deals specifically with data which is in the public domain and how that should be treated. Tell me about that.”

Harriet Dwyer: “So another section of the recruitment paper which is interesting is their commentary on the use of special category personal data which is available in the public domain. Now as with other guidance issued by the ICO, they helpfully set out in these papers the lawful bases that they think are appropriate in an employment context and, obviously, flag the fact that where you're processing special category personal data, there are also further conditions that need to be satisfied. One of those conditions is where special category personal data is available in the public domain but, of course, just because something is in the public domain doesn't necessarily mean an individual expects you to use it as part of a recruitment exercise. The guidance helpfully gives a nice example on this in relation to a disabled candidate who, perhaps, blogs about their disability to raise awareness in relation to it. Of course, that information is then in the public domain but, as I've said, they wouldn't necessarily expect recruiters to use that information as part of the recruitment exercise. So, you wouldn't necessarily be able to rely on that condition to be able to process that type of data lawfully, but what the ICO paper does also go on to say is that, if absolutely necessary, and you think it's important to rely on that information as part of your process, you give the individual an opportunity to comment on it and be asked questions on it at interview stage.”

Joe Glavina: “You are commenting on what is currently just draft guidance from the ICO, Harriet. Do you expect it to change significantly as a result of the consultation?”

Harriet Dwyer: “I think it's unlikely that these drafts will change in any way, or at least, if there are changes they won't be significant. As I've said, these draft pieces of guidance don't introduce anything new, they don't change the legislation or the framework, they just act as a piece of guidance for employers, or recruiters, in terms of enabling them to process personal data lawfully. So, whilst they are drafts at this stage, I think employers and recruiters can be confident in referring to them if needed when they're thinking about these types of issues at the moment.”

Joe Glavina: “Final question, Harriet, which is on retention periods because I know that this is an area that you're often asked to advise on.” 

Harriet Dwyer: “A question that we do frequently get asked is in relation to the retention of employment records. So, whether that's current employee personal data, personal data in relation to an employee that has just left, or has recently left the business or, indeed, personal data of candidates who have applied but, unfortunately, not been successful in relation to a role. Now, the data protection legislation does not set out any specific timeframes and I think clients expect it to do so which is why the question is frequently asked of us. Now, there is other legislation that might dictate how long you need to keep personal data for, such as right to work documentation, and, obviously, in those circumstances that would be your lawful basis in terms of retaining that personal data but, otherwise, the usual principles will apply and employers and recruiters will need to think about why they're obtaining the personal data and why they need to keep hold of it. Another thing that's important to note in terms of holding on to personal data is firstly, the longer you hold on to it, the chances are, it could over time become inaccurate and so you need to ensure that your personal data that you are processing is accurate but likewise, it could be, and it's most likely to be, accessible as part of a data subject access request. So those are all things to be mindful of when assessing the question as to how long you should retain personal data for.”

The ICO’s consultation on both sets of guidance will be running until 5 March 2024, so for a few more weeks yet. The ICO’s website sets out how to respond and includes links to the guidance itself. We have included a link to that in the transcript of this programme for you.

LINKS
- Link to ICO consultation ICO consultation: recruitment and selection
- Link to ICO consultation on guidance: keeping employment records