GDPR for HR | ICO enforcement and the new data protection audit framework, and data privacy risks in pre-employment vetting
Published on 29th Oct 2024
Welcome to this month's edition of our GDPR for HR newsletter where we dive into the latest updates, cases and insights on data privacy
ICO enforcement action: requests found in unmonitored email inboxes
The Information Commissioner's Office (ICO) issued a reprimand to the Labour Party on 28 August for repeatedly failing to respond to data subject access requests (DSARs) following a cyber-attack in October 2021, which led to an increase in requests from the public.
In November 2022, the Labour Party had received 352 DSARs, 78% of which were not answered within the maximum time limit of three months, and over half were delayed by over one year.
After receiving over 150 complaints regarding Labour's handling of DSARs, the ICO launched an investigation and further found that a "privacy inbox" (which was originally used to respond to correspondence and requests from individuals affected by the cyber-attack) contained over 600 additional DSARs. However, Labour has not responded to any of the additional DSARs. It was found that the privacy inbox had not been monitored since November 2021, when Labour moved cyber-attack-related correspondence to its standard data protection inbox.
Lessons to draw from the incident for other data controllers in complying with the UK GDPR include:
- Prepare adequate resources. Organisations should ensure they have adequate resources (for example, staff) in place to process and respond to DSARs and other data subject requests, including a sudden large influx of requests after data security incidents.
- Take care of unmonitored inboxes. For any inboxes that are no longer in use, organisations should remember to delete them (after properly examining all emails to ensure there are no outstanding requests) or auto-forward future incoming emails to the replacement inboxes.
- Implement and maintain standard policies. Organisations may consider implementing standard internal policies to deal with data subject rights. It is important that any such policies are kept up to date.
Increasing DSAR-related complaints in the finance sector: ICO's new data protection audit framework
The ICO has recently noted in a LinkedIn post that there has been a 15% increase in the number of DSAR complaints in the finance sector. It provided advice for the sector on how to improve, including:
- Assess your current compliance. The ICO recommends the use of its accountability framework, which has a list of questions to help organisations assess their approach to demonstrating compliance with the UK GDPR and work out possible improvements.
- Think about records management. It will be easier to handle DSARs if you know what information your organisation holds about people, where you keep it and how you can search for it.
To further help organisations assess their own compliance with data protection law and identity necessary steps to improve data protection practices, the ICO has launched a new data-protection audit framework, which is an extension of its existing accountability framework. The new framework has nine toolkits covering areas such as records management and requests for data. Each toolkit has a downloadable data protection audit tracker (in Excel format) to help organisations conduct assessments of compliance and track actions for improvement.
In more detail, the "requests for access" toolkit helps organisations understand what measures they should have in place to respond to DSARs effectively and in a timely manner. It covers areas, including:
- Preparing for DSARs;
- Recognising DSARs;
- Validating and managing DSARs;
- Finding and retrieving information;
- Exemptions and redactions;
- Supplying information; and
- Monitoring and improving performance.
The ICO says that the new audit framework will help encourage a positive data protection culture and empower organisations to embrace data protection as an asset, rather than just a legal requirement.
Data privacy risks in pre-employment vetting: how to deal with candidates' special category data in public domains
In the recent case of Ngole v Touchstone Leeds, the Employment Tribunal ruled that it was direct discrimination on the grounds of the applicant's religious beliefs when the recruiter withdrew an offer of employment after searching online and finding that the candidate had publicly posted religious opinions disapproving of homosexuality on Facebook.
While the tribunal did not consider data protection issues in relation to pre-employment vetting (as it has no jurisdiction over data privacy complaints), the ICO's draft guidance on data protection and recruitment covers this very scenario. The ICO says that when it is clear that a candidate has willingly and deliberately made their special category data – for example, race, sexual orientation or religious beliefs – publicly available, the data can only be used if it is used fairly and lawfully for recruitment purposes.
Recommendations for good practice given by the ICO include:
- Recruiters should not make assumptions about a candidate's suitability for a particular role based on their special category data, even if it has been deliberately made publicly available by the candidate.
- However, if recruiters consider the special category data to be significantly relevant to the role they are recruiting for, they can still use it as long as it is used fairly. For example, by giving the candidate an opportunity to explain or comment at interview. This will also ensure the data recruiters hold is accurate.
The ICO's employment practices code also provides recommendations for good practice in pre-employment vetting generally, including:
- Only use vetting where there are particular and significant risks involved to the employer, clients, customers or others, and where there is no less intrusive and reasonably practicable alternative.
- Only carry out vetting on an applicant as at late a stage as is practicable in the recruitment process.
- Make it clear early in the recruitment process that vetting will take place and how it will be conducted.
Upcoming events
Dipping into Data | Data Subject Access Requests
10 September | 16:00-16:30
Using a practical case study, we looked at the mechanics and tactical considerations of responding to a data subject access request and provided an update on the latest regulatory and case law developments.
Dipping into Data | ICO data protection practitioners' conference
17 October | 16:00-16:30
In this webinar, our experts considered the main takeaways from the UK privacy regulator's annual conference (held on 8 October) and the practical implications for business.
Dipping into Data | Session 3
4 December | 16:00-16:30
More to follow