The Information Commissioner’s Office have just released their guidance on the use of Legitimate Interest as a legal basis under GDPR.
Here at Obsequio, the first thing that stood out to us was the possibly misleading examples relating to recruitment. As a result, we called the ICO and discussed it further. We provide the examples we discussed in our response to the guidance below.
Admittedly we’ve placed our stake in the ground that consent is the right legal basis to process candidate data. Obsequio is entirely based on this belief and we are working with recruitment companies right now to help them in their journey to managing candidate consent.
As you could suggest a possibility of bias in our view, we asked Charlotte Gerrish to provide her own response to the ICO’s new guidance on Legitimate Interest.
Charlotte is the founding lawyer at Gerrish Legal. She is working closely with clients across Europe in multiple industries to help them navigate the GDPR in time for the May 25th deadline. Having spent time in-house at one of the world’s largest recruitment firms, we trust her judgement.
If you would prefer to skip our opinion, you can jump straight to her response here.
What stood out to us, is the possibility that after a short read of the new guidance it may appear as if Legitimate Interest is a get-out-of-jail-free, no effort required option.
Without really considering:
- the impact of using legitimate interest as a legal basis on your relationship with candidates and
- the potential fall out if your LIA (legitimate interest assessment) does not hold up under inspection
We are concerned that business owners could unwittingly leave themselves unprotected under GDPR.
Here are the two recruitment examples directly taken from the new guidance.
Legitimate Interest for Processing Candidate Data from Job Boards
Legitimate Interest for LinkedIn
Understandably, it would be very easy to read the above as ‘see data, keep data, share data’. And who could blame you? We asked the ICO a few questions requesting clarification. They were:
- If a candidate makes their CV available on a job board today, and remove it tomorrow, does the recruiter’s legitimate interest still apply?
- Same question for the LinkedIn tick box to offer contact from recruiters?
- Can a recruiter, as can be inferred from the example, share the personal data of candidates processed under legitimate interest with any organisation they deem appropriate under their legitimate interests to make a fee?
- If data is shared unsolicited between a recruiter and a 3rd party (client), is that relationship controller/processor or controller/controller?
We received guidance on the call. When we have it in writing, we’ll update this blog verbatim. As you might imagine, it’s not the free-for-all the examples first lead the reader to believe.
Charlotte Gerrish, Founding Lawyer of Gerrish Legal, provides the following view on legitimate interests and consent in the recruitment business, following the recent ICO publication.
In my view, it is important to dissect what the ICO guidance is saying.
It is stating that when candidates have actively signed up to a job board, job site or have selected the I Am Available to Recruiters option on professional social media sites, such as LinkedIn, the interests of the candidates and the recruitment agencies are most likely the same – let’s find this person a job.
In this case, it seems fair enough to rely on legitimate interests to process some personal data gained in this way (but not special category data as I discuss below).
Whilst it is true that the candidates may not have anticipated the exact identity of the data controller, they have nonetheless anticipated that various parties will process their data as part of their active and express desire to job hunt by signing up with these sites or by selection specific job search functions.
It is also important to note that when a candidate signs up to a job board, or uses certain functions via social media, it means that they have also signed up to user terms and conditions which no doubt cover data protection obligations, allowing transfer of data to third parties, such as to recruiters.
WARNING – this does not give recruiters a totally free card to rely on legitimate interests for everything they do with candidate personal data.The new ICO guidance on #LegitimateInterest does *not* give recruiters a totally free card to rely on legitimate interests for everything they do with candidate personal data via @gerrish_legal #GDPR Click To Tweet
Firstly, when relying on legitimate interests, recruiters need to ensure that the long-established test under EU law is respected and keep records of this to adhere to their accountability obligations under the GDPR. Evidencing legitimate interests can be onerous, so it should not be considered the “easy option”.
Secondly, when a candidate is supplying personal data to the recruiter directly via a contact form on their website, or by sending over a CV outside of any other arrangement with a job board or their social media settings, in my view, consent is the preferred lawful basis for processing under the GDPR.
Why is Consent the Preferred Lawful Basis for Processing under the GDPR?
Commercial Competitive Advantage
From a commercial perspective, by relying on consent as a recruiter, this means that you can offer your candidates a real choice and control over how you use their personal data.
This helps recruiters to build trust and better engagement with their candidates and clients.
It also sets high quality agencies apart from those who are just thinking about short-term commission, sending CVs that aren’t fit for purpose or prospecting candidates for roles which are totally outside of their skill set.
As a recruitment agency, you are going to come into contact (either directly or indirectly) with what the GDPR refers to as “special category data” belonging to your candidates.
The GDPR says that special category data includes information relating to an individual’s:
- ethnic origin
- trade union membership
- biometrics (where used for ID purposes, such as fingerprint access on an iPhone);
- sex life;
- or sexual orientation
You are going to get such data simply by receiving a copy of a candidate’s ID or work papers, or later in the recruitment process (during interview or offer for example).
Under the GDPR, in order to process special categories of data, not only do you need a lawful basis (such as pursuant to a contract, for legal reasons or based on legitimate interests), but you also need consent from the individual.
As consent is also a lawful basis, it makes sense to get clear consent from your candidates at the outset to make sure you are compliant for all types of data collected.Processing special category data is not covered by #LegitimateInterest under #GDPR Click To Tweet
Indeed, the ICO guidance states that when a candidate has not clicked the “Share With Recruiters” option on his or her social media profile, legitimate interests do not apply.
The ICO expressly states that in this case (in the Legitimate Interests for LinkedIn example above):
“[candidate] interests in maintaining control over their data overrides any legitimate interests of a recruitment agency or recruiting organisation”
And so, in my opinion, consent remains the most appropriate basis.
GDPR and PECR must work together
The GDPR is not the only legislation that recruiters need to consider.
They also need to adhere to rules surrounding electronic communications and the use of new technologies (such as information gathered by cookies), when they are contacting individuals, for example, by carrying out direct marketing.
In addition to the rules in the GDPR concerning how personal data gained via direct marketing is processed, recruiters also need to respect the Privacy and Electronic Communications (EC Directive) Regulations 2003 (also known as “PECR”).
PECR provide rules about sending marketing and advertising by electronic means. This includes telephone, fax, email, text and picture or video message, or by using an automated calling system.
PECR also specifies rules relating to cookies, telephone directories, traffic data, location data and security breaches.
Consent is central to the rules on direct marketing.
This means that recruiters will generally need a candidate’s consent before they can send marketing texts, emails or faxes, make calls to a number registered with the Telephone Preference Service, or make any automated marketing calls under PECR, and relying on legitimate interests is not likely to be sufficient.
Recruiters will also usually need consent to pass candidate details on to clients (potentially outside of the Job Board and Specific Social Media situations outlined above).
According to recent ICO Guidance there is a possibility to use “implied consent” as a ground for direct marketing, but this is more likely to be appropriate for offline communications (such as, at the point of sale in a store).
The ICO also warns that organisations, such as recruitment agencies, cannot rely on “implied consent” [page 65] as a “euphemism for ignoring the need for consent, or assuming everyone consents unless they complain”.@ICOnews has warned that organisations cannot rely on “implied consent” as a “euphemism for ignoring the need for consent, or assuming everyone consents unless they complain” Click To Tweet
Even implied consent must still be freely given, specific and informed, and must still involve a positive action indicating agreement (such clicking on a button, or actively subscribing to a service).
This means that the candidate must have understood that they were consenting, and exactly what they were consenting to, and must have had a genuine choice – if a condition of subscribing to a service (for example to use your recruitment services) is giving consent to marketing, the recruiter will have to demonstrate how this indicates that consent was freely given.
In a similar manner to the GDPR, to be valid, consent must be knowingly and freely given, clear and specific. It is therefore important for recruitment agencies to keep clear records of what a candidate has consented to, when and how this consent was obtained, so that they can demonstrate compliance in the event of a complaint.
If recruitment agencies are unable to demonstrate that they had valid consent, they may be subject to enforcement action.
In my professional view as a lawyer (and having experience as an in-house lawyer “on the sales floor” of one of the world’s largest staffing companies), the best bet is to go with consent.
Consent is the safest way to gain and maintain trust and avoid running into issues further down the line.
Ready to do candidate consent well? See how Obsequio can help your recruitment business manage consent.Obsequio for Recruiters