Since the introduction of General Data Protection Regulations (GDPR) in May 2018, there are many processes which, need to be considered and updated in order to be compliant. advo hr takes a closer look.
Privacy statements for job applicants
A privacy statement for applicants should inform candidates how you will use their personal data and how this will be protected. This document should be placed where it is accessible to all applicants. The Company website may be the best place for this document and all applicants should clearly be informed of the document’s location and directed to read this.
Lawful basis for requesting a reference from a GDPR perspective
There are six possible lawful bases to process personal data. The Information Commissioner’s Office (ICO) outlines these.
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interest: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this cannot apply if you are a public authority processing data to perform your official tasks).
The lawful basis here would be a legitimate interest. As an employer, it is expected that you would need the information included in a reference as a necessary part of the recruitment process. You have a business need to hold this information, which makes this a lawful basis.
Whilst there is no need to ask an applicant for their consent to approach a previous employer, we wouldn’t recommend you seek to contact their current or most recent employer for a reference, without checking with the applicant first. You should also respect any request from job applicants not to contact their current employer until they have given formal notification of their resignation. We strongly recommend that the applicant agrees in writing when they are happy for the reference request to be sent e.g. after they have confirmed their resignation in writing to their employer.
New information that comes to light
There may be circumstances where you receive a reference reply which contains new information that you were unaware of. If this happens, the Company should tell the candidate the categories of personal data concerned as soon as possible, but no later than one month from when they received this information. The details of the information do not need to be shared, only the categories. For instance, they could say they have received information relating to their disciplinary record, health, beliefs etc. that they did not already know.
If information has been given in confidence (clearly marked as ‘strictly confidential’) the candidate is not entitled to have access to this reference.
Providing a reference for leavers and ex-employees
It is vital that every time you receive a reference request for an employee or former employee that you gain their consent to share their personal data with the new employer. This is unless you have a lawful basis to provide this information such as if they are applying for certain financial services jobs regulated by either FCA or PRA and you have a legal obligation to supply this information without gaining consent from the employee.
It may therefore be easier to provide someone who is leaving the company with a reference in line with your standard processes, subject to this reference being limited to a non-regulated role. The leaver can then give this to whoever they wish to pass this information on to. This can form part of the leaver process as part of an exit interview where the Company can ask the employee for their consent to retain information and process it for the purposes of providing future references and record this in a suitable format.
If a recruiter or employer calls or emails the company and states that the former employee has given them their consent for their details to be given for a reference, ensure that the company have either gained consent from the leaver to release this information to the company in question or ask the recruiter/new employer to get the former employee to contact the company to give their consent directly.
It is advised to ask for consent for every reference request. If the company asks for consent to issue references for them to anyone who requests this when they leave, the consent may be invalid. This is because their consent may degrade over time as they have not consented to their details being shared with the specific person and company.
Standardised reference forms are no longer advised as they may ask for more information than is relevant and necessary and therefore may not be GDPR compliant. Instead, explain that the company’s standard reference response letter is used for all references. As with all references, they need to be factual, fair and accurate.
Exemption to the above
Under the Data Protection Act 2018 any reference provided in confidence does not need to be included in a Subject Access Request. This means both the company who sent the reference and the company who received this are exempt from having to provide this to the employee. If the company refuses to provide information based on the above exception, the reasons why should be documented. Therefore, whilst it is possible to use this exemption they should not be relied upon routinely and should be assessed on a case-by-case basis.
advo hr is here to help. If you need any further information on this topic or any other wider HR issues then please get in touch. In the first instance email email@example.com.