IT and data

GDPR for HR | ICO enforcement and new data protection audit framework, and data privacy risks in pre-employment vetting

Published on 25th Oct 2024

Welcome to this month's edition of our GDPR for HR newsletter where we dive into the latest updates, cases and insights on data privacy.

Above view of people in a meeting sitting around a table

ICO enforcement action: requests found in unmonitored email inboxes 

The Information Commissioner's Office (ICO) issued a reprimand to the Labour Party on 28 August for repeatedly failing to respond to data subject access requests (DSARs) following a cyber-attack in October 2021, which led to an increase in requests from the public. 
In November 2022, the Labour Party had received 352 DSARs, 78% of which were not answered within the maximum time limit of three months, and over half were delayed by over one year. 

After receiving over 150 complaints regarding Labour's handling of DSARs, the ICO launched an investigation and further found that a "privacy inbox" (which was originally used to respond to correspondence and requests from individuals affected by the cyber-attack) contained over 600 additional DSARs. However, none of the additional DSARs had been responded to by Labour. It was found that the privacy inbox had not been monitored since November 2021, when Labour moved cyber-attack-related correspondence to its standard data protection inbox. 

Lessons to draw from the incident for other data controllers in complying with the UK GDPR include:

  • Prepare adequate resources. Organisations should ensure they have adequate resources (for example, staff) in place to process and respond to DSARs and other data subject requests, including a sudden large influx of requests after data security incidents. 
  • Take care of unmonitored inboxes. For any inboxes that are no longer in use, organisations should remember to delete them (after properly examining all emails to ensure there are no outstanding requests) or auto-forward future incoming emails to the replacement inboxes. 
  • Implement and maintain standard policies. Organisations may consider implementing standard internal policies to deal with data subject rights. It is important that any such policies are kept up to date. 
     

Increasing DSAR-related complaints in the finance sector: ICO's new data protection audit framework

The ICO has recently noted in a LinkedIn post that there has been a 15% increase in the number of DSAR complaints in the finance sector. It provided advice for the sector on how to improve, including:

  • Assess your current compliance. The ICO recommends the use of its accountability framework, which has a list of questions to help organisations assess their approach to demonstrating compliance with the UK GDPR and work out possible improvements. 
  • Think about records management. It will be easier to handle DSARs if you know what information your organisation holds about people, where you keep it and how you can search for it.  

To further help organisations assess their own compliance with data protection law and identity necessary steps to improve data protection practices, the ICO has launched a new data-protection audit framework, which is an extension of its existing accountability framework. The new framework has nine toolkits covering areas such as records management and requests for data. Each toolkit has a downloadable data protection audit tracker (in Excel format) to help organisations conduct assessments of compliance and track actions for improvement.

In more detail, the "requests for access" toolkit helps organisations understand what measures they should have in place to respond to DSARs effectively and in a timely manner. It covers areas, including: 

  • Preparing for DSARs;
  • Recognising DSARs;
  • Validating and managing DSARs;
  • Finding and retrieving information;
  • Exemptions and redactions;
  • Supplying information; and
  • Monitoring and improving performance.

The ICO says that the new audit framework will help encourage a positive data protection culture and empower organisations to embrace data protection as an asset, rather than just a legal requirement. 
 

Data privacy risks in pre-employment vetting: how to deal with candidates' special category data in public domains

In the recent case of Ngole v Touchstone Leeds, the Employment Tribunal ruled that it was direct discrimination on the grounds of the applicant's religious beliefs when the recruiter withdrew an offer of employment after searching online and finding that the candidate had publicly posted religious opinions disapproving of homosexuality on Facebook. 

While the tribunal did not consider data protection issues in relation to pre-employment vetting (as it has no jurisdiction over data privacy complaints), the ICO's draft guidance on data protection and recruitment covers this very scenario. The ICO says that when it is clear that a candidate has willingly and deliberately made their special category data – for example, race, sexual orientation or religious beliefs – publicly available, the data can only be used if it is used fairly and lawfully for recruitment purposes. 

Recommendations for good practice given by the ICO include:

  • Recruiters should not make assumptions about a candidate's suitability for a particular role based on their special category data, even if it has been deliberately made publicly available by the candidate. 
  • However, if recruiters consider the special category data to be significantly relevant to the role they are recruiting for, they can still use it as long as it is used fairly. For example, by giving the candidate an opportunity to explain or comment at interview. This will also ensure the data recruiters hold is accurate. 

The ICO's employment practices code also provides recommendations for good practice in pre-employment vetting generally, including:

  • Only use vetting where there are particular and significant risks involved to the employer, clients, customers or others, and where there is no less intrusive and reasonably practicable alternative. 
  • Only carry out vetting on an applicant as at late a stage as is practicable in the recruitment process.
  • Make it clear early in the recruitment process that vetting will take place and how it will be conducted.

Upcoming events

Dipping into Data | Data Subject Access Requests

10 September | 16:00-16:30

Using a practical case study, we looked at the mechanics and tactical considerations of responding to a data subject access request and provided an update on the latest regulatory and case law developments.

Watch the recording>

Dipping into Data | ICO data protection practitioners' conference

17 October | 16:00-16:30

In this webinar, our experts considered the main takeaways from the UK privacy regulator's annual conference (held on 8 October) and the practical implications for business.

Watch the recording>
 

Dipping into Data | Session 3

4 December | 16:00-16:30

More to follow

Register now>
 

Share
Related articles
Legitimate interest as a legal ground for data processing in a commercial context in Spain
24/10/2024 5 mins
GDPR for HR | ICO enforcement, DSARs, and what UK data law changes to expect
30/08/2024 5 mins
Implementation deadline for NIS2 and new EU cybersecurity compliance regime draws nearer
06/08/2024 11 mins
Cyber attack on a UK staffing company:  a 'war story'
13/06/2024 3 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up