Insights Employment practices: UK Information Commissioner’s Office consults on guidance

The ICO has published two new pieces of guidance for employers, one on keeping employment records and another on recruitment and selection. As with other guidance published by the ICO, these aim to help those that process personal data understand their data protection obligations under UK GDPR and the Data Protection Act 2018 (“data protection law”). In each case, the various requirements are explained and explored and then followed by useful case studies.

Employment Records

The proposed guidance for employment records (which may include personnel files, sickness and injury records, disciplinary and grievance records, training records, appraisal records, payroll information etc) covers a wide range of topics including the need for a lawful basis for keeping records, whether consent can be relied on, what lawful bases might apply, conditions for processing special category data, and the data subject’s rights to access and require deletion of the data. The guidance uses “worker” to mean all employment relationships, including employees, contractors, volunteers or gig or platform workers.

For example, on the issue of the lawful basis on which employment records can be kept, the guidance explains that it might be difficult to rely on consent since an employer is generally in a position of power over its workers. As such, it could be argued that consent in those circumstances is not “freely given” as required by UK GDPR. Other lawful bases that might apply in this context include processing that is necessary for the performance of a contract (e.g. an employment contract), to comply with a legal obligation (e.g. for tax purposes), or for the purposes of the legitimate interests of the employer (e.g. requesting references containing information about a job applicant).

Employment records may contain special category information (e.g. data relating to racial or ethnic origin, religious beliefs, trade union membership, health) in which case, in addition to a lawful basis, the employer must also identify a special category condition before it can start processing. Again, consent (which, in the case of special category data, must be explicit) is not likely to be a ground on which the employer can rely. The special category conditions most likely to be relevant in this context include processing that is necessary to comply with employment, social security and social protection law, for the exercise or establishment of a legal claim (e.g. if the worker is suing the employer) or for reasons of substantial public interest (defined under Schedule 1 of the DPA 2018 as including statutory or government purposes, equality of opportunity or treatment, racial and ethnic diversity at senior levels of an organisation and preventing and detecting unlawful acts).

Recruitment and Selection

This guidance is aimed at employers and organisations which carry out recruitment on their behalf, such as recruitment agencies, head-hunters and consultancies (referred to below as the “recruiter”). It covers the recruitment in the context of all potential employment relationships, including employees, contractors, volunteers or gig or platform workers.

For example, in considering the need for the processing to be fair, the guidance states that the recruiter should ensure that decision-makers are not presented with irrelevant information about the candidate before they make their decision. This means that applications should be screened to remove name, contact details and equality information, before sending information about qualifications and work experience to the decision-makers for shortlisting. The guidance also points out that the fairness requirement, which provides that you may not use the data in ways which may have adverse effects on the candidate, is not breached by rejecting the candidate for the job.

The lawful basis that is likely to be most relevant in this context is legitimate interest (the guidance provides a useful example in which the recruiter plans to do manual searches of candidates’ social media profiles). Again, consent is not likely to be an appropriate legal basis as there is likely to be an imbalance of power between the candidate and the recruiter. Equally, performance of a contact is not likely to be appropriate as this can only be relied on once you have made the candidate a conditional or unconditional job offer and they have accepted or, since it extends to processing necessary to take steps prior to entering into a contract, could be relied on by an employer, for example, to obtain evidence of a candidate’s qualifications once it has made a provisional offer.

The types of special category data and the issues relating to special category conditions are like those described above for the employment records guidance, save that the condition which relates to information manifestly made public by the candidate may apply in the recruitment context. Further, the substantial public interest conditions relating to equality of opportunity and diversity at senior level may be particularly relevant in recruitment situations.

For more information and to respond to the consultation on the draft guidance documents, which closes on 5 March 2024, click here.