Your personal data when going forward for IT contracts; is it private?
Can all personal data be private? You might think in the era of GDPR, that the answer to this question is bound to be a straightforward, resounding ‘Yes.’
But you’re likely to give a ‘No’ answer if you’re the Ministry of Defence -- or at least, that was very broadly the MoD’s position in a court case involving Security Clearance.
The parties who want to obtain job-seeker data
Of course, it’s not just vetting officials who often want to obtain the personal data of professional workers, relating to convictions, financial history and other datasets that could represent ‘skeletons in the cupboard.’ Recruitment agencies, HR officers and employers more generally are all often at it. But, asks Charlotte Gerrish, founding partner of Gerrish Legal, are they entitled to it?
Well, under EU law, the GDPR sets out that personal data relating to criminal convictions can only be carried out by organisations who have the official authority to do so, and who have a legal basis for doing so.
In practical terms, this means you cannot keep a comprehensive register of criminal convictions, and your legal basis for the processing of the data must be documented before you can begin any sort of processing.
Consent and data-handling under the law
This would suggest that it is not lawful for employers (including the end-users of self-employed contractors) to carry out criminal background checks as a matter of practice, or to generally ask employees (and contract workers) to undergo a criminal background check, unless they are recruiting for a job or assignment which requires these sort of checks. We’re referring here to the instances of candidates who are going to work with children, rather than sensitive code.
Be aware, the Data Protection Act 2018 (DPA)- the UK’s transposed version of the GDPR- introduced further conditions that businesses must assess and be able to justify whether a specific condition applies that allows them to process criminal data.
Be further aware though, there is always the legal loophole that employers could ask for consent. However, there is the risk to the employing body that the employee (or contract worker) would be perceived as having had no other option but to give consent, given the perceived power imbalance between the two parties.
Consent must be informed, unambiguous and freely given, meaning an individual should feel that they have the option to refuse without being prejudiced as a result. In asking for consent to review criminal convictions, employers (and engagers generally) must consider whether this consent would appear to be freely given, considering the potential repercussions that the worker may fear if they were to refuse consent.
Therefore, when the obligations of GDPR came into force a little over a year ago, it made employers rethink their policies. Pre-GDPR, it was common practice for many UK organisations to carry out routine criminal conviction checks on prospective hires, however, with the GDPR and the DPA, employers must now to consider what the legal basis of this processing would be, and of course keep any data that was disclosed to them under tight wrap.
Is your personal data protected in a criminal probe?
So, your criminal convictions are generally private from employers. But what about vice versa? In other words, could your personal data be protected from criminal investigations?
Well, the DPA restricts the privacy of personal data when it is required by the police. So the GDPR does not apply to any personal data processed for the prevention or detection or crime, or the apprehension or prosecution of offenders.
This means that despite the strict rules on employers (or engagers} asking for criminal convictions, the GDPR does not impede legitimate police or national security work. Clearly, there will be times when the police have a legitimate need to access personal data. This need not be only criminal convictions: rather, any sort of personal data any employer or other organisation holds on a person.
The burdens on data-controllers, and their duties to police and job-seekers
However the employing body, as a ‘data controller,’ is responsible for ensuring that their data subjects’ information is protected. The exemption in the DPA should not give the police carte blanche access to personal data and there is a balance to be struck, the responsibility and art of which lies with data-controllers. Simultaneously, controllers must toe the line between protecting personal data, and not impeding legitimate police work.
The difficulty of this balancing act can be seen with the MoD case mentioned at the outset, as it was forced to pay-out to a former political adviser after it handed ‘secret’ details of his life to prosecutors. The adviser, Richard Holden, who had undergone high-level security testing before beginning his career as a political adviser, was accused of sexual assault and had his UK Security Vetting file handed to the Crown Prosecution Service to use as character witness evidence. For handing this evidence over, the MoD had to pay compensation.
Let this be a lesson that while personal data is excluded from protections when it comes to criminal investigations, it does not give the police free rein on any and all data. More importantly for the likes of contractors’ clients – data-controllers, the lesson for them from the case is that they must always be aware of the legitimate purposes for processing data before they consent to it being shared. It’s a lesson that can come with a hefty price tag if controllers miss it – £20,000 in the case of the MoD, so agents, officials and employers simply cannot afford to pry any skeletons out of the cupboard too clumsily.