As DPO for a UK company, I have received a concern that we do not collect consent before requesting references from previous employers.
We do make the potential employees aware that we are going to make checks using the references that they gave us, but we do not use consent as our legal basis for processing, as I do not feel it would be appropriate.
To be clear, we do not currently collect criminal offence data as part of this process.
What are your thoughts? Do you collect consent for this type of check?
Thanks in advance!
Hi Jess, assuming “your” GDPR is the same as ours 😉 I would stay away from consent in this case.
I don’t think this form of consent can be considered “freely given”. I would either use the legitimate interest (although that might be challenging as well), or the “needed to enter into a contract”.
The criminal offence data is a different type of personal data and since you’re not collecting it “currently”, I can only state to be very careful when collecting that information. since its explicitly limited under art 9 GDPR.
I would agree with Alexander & Phil, in that, consent isn’t the most appropriate lawful basis here.
The DPA 2018 provides an exemption for the right of access and right to be informed, where the processing is in relation to Confidential References, and the employment of an individual is listed in the Confidential References list.
So a basis other than consent is better and it is Data Protection Act 2018, Schedule 2, Part 4, Paragraph 22 that sets out which I think is the relevant exemption.
This ICO link provides more detail too: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/exemptions/
The exemption I think you are referring to is Schedule 2, Part 4, Paragraph 24, but it should be noted that this exemption is only in reference to Art 13-15 of the GDPR, i.e. the right to information and access so it isn’t related to the legal basis for processing this information.
Thanks Hellen, yes that’s right – typo on my part, it is Paragraph 24.
That’s right, as I mentioned, the exemption only applies to specific subject rights in relation to being informed and the right of access; it doesn’t give guidance on lawful bases.
Hi would concur with Alexander, Consent is not appropriate because of the in-balance of power between employer and candidate i.e. it’s not freely given. Plus, how could the candidate meaningfully withdraw that consent? I would recommend Performance of Contract as probably the best and safest way to go.
Criminal checks are possible, but you need to think through your justification. Are they proportionate to the role? Would you screen everyone or just certain positions? You would also need to document your lawful basis under an exemption to Art. 10 provided for under the Data Protection Act 2018.
So… I’m going to suggest that there is a little more nuance in this:
Where someone has given you the details of the referee(s) and at the point they did you have stated when and how you would use this information then you have consent to undertake that action. Many job applications have an option which says that the prospective employer cannot approach the referee without the candidate’s permission or before a job offer has been made (conditional on receipt of satisfactory references) which once again implies consent in this process.
Where you go hunting for additional information, i.e. credit checks, a referee that the candidate did not supply, then you have to be very clear about why you are doing it and what your legal basis is for doing so. Your actions need to be proportionate and not affect the rights and freedoms of the individual and ultimately justifiable in the context of the application process.