internet searches and privacy of job applicants under ... · include, that only data concerning...
TRANSCRIPT
Internet Searches and Privacy of Job Applicants Under Dutch Law
I Elisabeth P.M. THOLE
What has Google to do with job recruitment? Nowadays many recruiters and future employers use the Internet to obtain background information about a job applicant. Large quantities of information can be found on a person through search engines and social network websites. Some future employers even ask job applicants to mention their user names on social network websites to facilitate their search.
For job applicants, the Internet offers great possibilities to create their own profiles on websites such as Facebook and Linkedin, which helps to enlarge their (business and social) network, and also to find a new job. Whereas Linkedin is specifically aimed for use in a professional network, other social network websites are mostly meant for leisure and fun. Especially younger persons place information about their personal life on such websites, like contact details, holiday pictures, information about their relationship and hobbies.
Perhaps this information may be quite useful for friends and family. At the same time it can also be interesting for future employers and recruiters. Pictures of drinking tequila shots at a beach bar wearing a bikini are fun to share with friends, but may also be interesting information for a future employer to be used for the selection of the job applicants. Background checks can be carried out by external agencies, but such checks are costly and time-consuming, whereas the Internet is free and easy. The facilities are there, but does this imply that it is always allowed to use this public information for the verification of job applicants? In this article I will discuss the data protection related of performing Internet searches of job applicants from a Dutch law perspective. As the Dutch Data Protection Act (DPA) is an implementation of the European Data Protection Directive, the analysis may also be relevant for other EU Member States.
I Personal data of the job applicant
In the Netherlands, the DPA provides the rules for the processing of personal data. Personal data means information that, reasonably without disproportionate efforts, can be traced to a natural person. Here the job applicant. When an Internet search is carried out, different personal data will be processed. This may include data such as the address of the job applicant, his date of birth, employment history, pictures, video's and information about his friends and family.
The DPA applies to the processing of personal data. Processing includes the collecting and viewing of personal data. Thus also when the data will not be put in a file, the DPA may be applicable. An exception can be found in the processing of personal data solely for personal use. As background searches are usually carried out for business purposes, it is not likely that this exception applies. Case law from the European Court of Justice also shows that application of the exception is not easily assumed.
Although the DPA may apply to Internet background searches, there may still be differences in those searches, which may also have an impact on what will be allowed and what not. A difference could for example be made between the scope of the search. The future employer or recruiter could for instance limit the search to Linkedin, a website which is meant for use in a professional network. Another possibility is that the search is viewed on screen only and just and by one HR manager, and not printed and/or placed in a file, which can thereafter also be available to many others.
I Position of future employers and recruiters
In most instances, the future employer must be considered the data controller of the personal data. If a future employer makes use of an external recruitment agency for carrying out the Internet search of a job applicant, the recruitment agency is considered the data processor.
A data controller is the entity authorized to determine the purposes and means of the processing of personal data. Unlike a data controller, a data processor has no control over the data processing; a data processor should follow the instructions given by the data controller and carries out work under the (explicit) responsibility of the data controller. The data controller remains responsible for the processing of the personal data (see also Article 29 Working Party, Opinion 1/2010 adopted on 16 February 2010;WP 169).
A (written) data processing agreement must be concluded between the future employer and the recruitment agency. By means of such a contract, the parties must ensure that the information is processed only for the specific purposes for which it was collected. In particular, the recruitment agency must abide by strict confidentiality and security Obligations. The recruitment agency will also have to comply with the retention periods by which the future employer is bound. The future employer must, in its capacity as a data controller, be required to periodically verify compliance by the recruitment agency with the principles of the applicable law.
I Purposes and justification grounds
The future employer will only be allowed to process or have the personal data
3 0 2 m 2 0 1 0 I Bringing Together the World's Lawyers
processed by the recruitment agency for
well-defined, clearly described and justified
purposes. As to Internet background
searches, the purpose will be judging, on
the basis of personal information, whether
a job applicant will be suitable for a certain
job at the future employer's organization.
In addition, the employer is allowed to
process the personal data only if a ground
of justification is in place. Here the
following two grounds of justification may
be relevant: (a) The processing is necessary
for upholding the legitimate interest of the
employer; or (b) The applicant gives its
unequivocal consent to process his data.
First ground:
leg i t imate in terest of the employer
The employer may process the personal
data without the applicant's consent, if he
can demonstrate that he has a legitimate
interest to process the personal data,
which prevails above the privacy interest of
the job applicant. A t first sight an employer
may have a legitimate interest to perform
an Internet search with respect to a job
applicant in light of the job application
procedure. It will be up to the employer to
determine in each particular case whether
it fully meets all the criteria. Against the
above background, it will be necessary for
the employer to verify whether the goal of
processing may not also be obtained by less
far-stretching measures. He should not
process more data than necessary. The
employer should also limit the access to
the data to a certain group of people (e.g.
the recruitment agency and members of
the HR organization only), and the
employer should not save the data longer
than necessary.
In this respect, different arguments can be
made whether it should be allowed to
perform Internet background searches,
without the consent of the job applicant.
Arguments in favor of allowing Internet
searches of job applicants, can be found in
the fact that the applicant made this
information publicly available about himself.
The information is freely available. It would
be the job applicant's own responsibility to
prevent the availability of such information,
e.g. by making its profiles only available to a
limited number of people, or by not
disclosing such information on the Internet
at all. The job applicant could perform an
Internet background search by himself, and
make sure there are no unwanted data
available.
Arguments against the searches, without
the prior consent of the job applicant, are
the following. In most instances the job
applicant did not provide the personal data
for the purpose of background searches.
He just put it there for friends and fun, and
not to be confronted with the data during
a job interview. Also, it is hard to remove
(unwanted) personal data from the
Internet. Information is copied on the
Internet in a split second, and it is
impossible to trace information
A disadvantage of relying on the consent
may be that the applicant can at any time
revoke its consent to process the data.The
applicant however cannot withdraw its
consent retroactively. And if a job applicant
would withdraw his consent, this fact as
such provides also information to the
future employer on the job applicant,
although an employer should also be
careful not to jump to any conclusions
without verifying such with the job
applicant.
Code of conduct
A solution could also be to create a code
of conduct for Internet searches by future
employers of job applicants. An argument
for introducing such code of conduct is
that in the offline world it is common to
ask the job applicant's consent for the
The future employer must, in its capacity as a data controller, be required to periodically
verily compliance by the recruitment agency with the principles of the applicable law.
throughout the whole Internet. Moreover,
it is quite easy to commit fraud on the
Internet. Information may be presented as
posted by a certain individual, but could
actually be posted by someone else. And
many people have similar names.This could
lead to many mix-up situations.
Second ground:
job applicant's consent
If the processing would be based on the
consent of the data subject, the personal
data may only be processed if the job
applicant has given his unequivocal consent
to the future employer. When asking for
the consent, the job applicant should be
well informed, so that he knows for what
he is consenting for.
If the applicant can make use of a website
for its application, the employer could ask
the applicant for its consent by asking the
applicant to tick a box before completion
of the application form. Relying on the
ground of consent could in that case be a
reliable ground for the processing of
Internet background search data.
checking of references. There should be a
translation of this rule of decency for the
digital world.
Critics claim, that this idea masks the real
problem, being that there should be more
information about the risks of placing
information on the Internet. Young people
should be made more aware of that. If they
are, no such code of conduct would be
needed. Still a code of conduct could
provide more clarity regarding the
applicable (data protection) rules in this
respect.
i Additional formal requirements for the future employer under the DPA
The future employer may have to notify the
processing of the personal data to the
Dutch Data Protection Authority, unless he
may rely upon the exemption which applies
to the processing of the personal data of
job applicants. In order to be able to rely
upon this exemption ail conditions should
be met. The conditions for the exemption
[(assembler les avocats du monde I 2 ■ 2 0 1 0
include, that only data concerning name, contact details, nationality, education, present and former employment of the job applicant are processed. Other data that may be relevant for the position may only be processed when they have been provided by or are known to the job applicant Moreover the future employer may not retain the data for more than 4 weeks, or not more than I year with the consent of the applicant.
If the future employer would take care of these retention periods and if he could prove that the data obtained during the Internet search have been made available by the job applicant himself (for example on Linkedln), then the future employer could probably rely upon the exemption.This could however be different, when the future employer combines data from different websites, or when it turns out that information about the job applicant was not posted on the internet by the job applicant himself, but by a third person.
If the future employer can rely on the exemption, this only means that it does not
internet background search, and that a recruitment agency - if any - will perform this search (if applicable). The future employer could also make clear that the access to the personal data is limited to certain people within the organization. It is also advisable that the recruitment agency uses a privacy statement in line with the employer's statement.
I Conclusion
Internet background searches by future employers, possibly assisted by a recrui t ing agency, can be per formed quite easily. Loads of personal in format ion can be found in the Internet in a simple way. But the fact that i t is publicly available, does not imply that i t is compliant w i th Dutch data protect ion legislation t o do so.
The 'safest' ground for processing personal data of job applicants w i th respect t o Internet background searches is t o obtain the pr io r consent of the job applicant. In that respect i t wou ld be advisable t o provide an (online) application f o r m , and give the job applicants the opt ion t o t ick a
The future employer also will have to inform the job applicant of the processing of its personal data within the context of the internet background search, and that a recruitment agency - if any - will perform this search (if applicable).
have t o notify the processing of this data. This does no t automatically make the processing legal.
The notification, which has t o be made up in the Dutch language, must include the name and address of the employer, the reason for processing the data, the type of employees and the types of data that wi l l be processed, the recipients of the data, whether the data wil l be sent to countries outside the EU, and a general description of the process to determine whether the security measures that have been taken are suitable. Making a notification t o the Dutch Data Protection Author i ty is free of charge.
The future employer also wil l have t o inform the job applicant of the processing of its personal data wi th in the context of the
box, allowing the future employer t o search the job applicant on the Internet. If the application is no t received electronically, i t wou ld be best t o contact the job applicant and ask for its consent, before performing a search.
The downside of consent as the ground for processing, is tha t job applicants can wi thdraw the i r given consent at any t ime. Wi thdraw ing the consent can however no t be done w i th retroact ive effect.
The ground o f having a legitimate interest t o per form an Internet background search w i th respect t o an applicant could also be used by the fu ture employer t o argue that the personal data may be processed w i thou t the applicant's consent.The future employer should, however, be able t o
demonst ra te tha t i t has a legi t imate interest which prevails above the privacy interests o f the applicants.
Dr. Elisabeth P. M .THOLE ' Vice-President of UIA Protection of Personal
Data and Rights of the Digital Person Commission Attorney
Van Doorne Amsterdam.The Netherlands
' Head of the Van Doorne Privacy Team. She recently published the book "50 questions on Privacy". She may be reached at [email protected].
32 2 a 2 0 i 0 1 Reunir a !os abogados del mundo