In parts one and two of this series summarizing data protection law in the United Kingdom, we looked at the data protection principles to which employers must adhere in relation to obtaining, holding, or disposing of personal data, including sending it outside the European Union (EU).
In this final part of our series on data protections laws in the United Kingdom we examine the practical application of the UK’s data protection rules on background checks and monitoring.
During the course of conducting background checks, which may, for example, involve obtaining references, Internet screening, or checking a candidate’s criminal record, an employer will process a significant amount of personal data.
When requesting a reference or confidential personal information from a former employer or a third party, employers should notify the candidate and, in the case of the latter, the employer should obtain the candidate’s permission or written consent.
If undertaking Internet screening, the first and fourth data protection principles, which require fair and lawful processing and accuracy respectively, are particularly important. Although information obtained through online searches is generally available to the public, it will still usually be necessary to inform candidates of the intention to obtain data from online sources. Further, particular care should be taken to ensure that information obtained online is accurate and relates to the relevant individual before relying on it during the recruitment process.
In the United Kingdom employers can request a criminal records check on individuals who fulfill certain roles in an organization—a financial services position, for example, or a position dealing with children or vulnerable adults—subject to the employee’s consent. Such checks are often an important tool for employers to use when short-listing andverifying candidates. The Data Protection Act does not prevent employers from conducting such checks. However, employers should only perform checks on prior convictions for “specified and lawful purposes,” or in other words, if they are relevant for the role.
A standard criminal records check will show details of an individual’s convictions, cautions, reprimands, or warnings recorded on police central records and include both “spent” and “unspent” convictions. (A conviction is spent when the offender has not re-offended for a specific length of time and is considered to be rehabilitated.) The general rule is that a spent conviction need not be disclosed to an employer, and an employer must not refuse to employ the person because of a spent conviction. Therefore, employers should carefully consider the nature of the conviction and whether it makes the individual unsuitable for the role.
As a general point, employers should note that the UK’s data protection regulator, the Information Commissioner’s Office (ICO), generally recommends that employers confine the scope of comprehensive vetting and/or background checks to the candidate or candidates selected for the job. Employers should not engage in pre-employment vetting for all short-listed candidates.
Finally, as a matter of best practice, employers should provide a secure method for storing recruitment records, including restricting access to the record obtained during the background checks. ICO guidance recommends that such records be kept for between three and six months following the recruitment procedure before being securely destroyed. The justification for up to a six-month retention period is that the maximum period within which an unsuccessful applicant may bring a claim in relation to a recruitment process will usually be six months. Any information about successful applicants that is not relevant to the ongoing relationship should be deleted.
Monitoring at Work
At some point during the employment relationship it may be necessary for an employer to undertake surveillance or monitor employees’ activities. For example, an employer may want to do this if it suspects that an employee is acting in breach of confidence or engaging in unlawful activity. Although permissible, monitoring must be undertaken within the limits imposed by the principles of the Data Protection Act.
Although some employers secretly monitor employees, this is rarely legal and usually employers must take reasonable steps to inform employees that monitoring may occur, the type of activity that may be monitored, and why monitoring is necessary.
To use the most common example of monitoring activity—the monitoring of employees’ electronic communications at work—an employer may legally monitor the use of electronic communications under the following circumstances:
the monitoring relates to the business;
the equipment being monitored is provided partly or wholly for work; and
the employer has informed employees of the nature, extent, and reason for any monitoring.
Employers can usually satisfy the requirement to inform employees of the possibility that they will be monitored through an appropriate policy in the employee handbook. Indeed, it is often important for an employer to have such a policy in order to help demonstrate compliance with the Data Protection Act in the event of a complaint relating to monitoring.
If an employer sticks to the general rules listed above and has identified any negative effects that monitoring may have on staff (often referred to in the United Kingdom as an “Impact Assessment”), employee consent will usually not be needed before engaging in monitoring activity. However, employers must always have a good business reason for monitoring employees and should seek appropriate legal advice if this issue is not clear.
In addition to potential penalties and reputational damage (highlighted in part one of this series), significant breaches of privacy—whether in relation to background checks, monitoring, or otherwise—that occur during the employment relationship can form the basis of other serious legal claims, such as claims for constructive dismissal under the UK’s unfair dismissal legislation. Further, in light of the proposed changes to European data protection law, which will likely give data protection regulators new powers to issue significant fines for data privacy breaches, it will soon be increasingly important for employers to comply with data privacy laws.