Irish Data Protection legislation and the EU General Data Protection Regulation (GDPR) places obligations on employers when processing personal data of prospective employees in a recruitment process. Employers have the responsibility to be lawful, fair, and transparent and to limit the data processing to what is necessary to fulfil the recruitment purpose.

Richard Lee is a partner of BHSM LLP’s Employment & Benefit practice, advising domestic and international corporate clients in contentious and non-contentious issues that arise in all aspects of the employer and employee relationship. Sinéad Mannion is a Senior Associate in BHSM LLP’s Corporate Department, specialising in corporate transactions. Sinéad has considerable experience in dealing with all issues relating to data protection and privacy law.

How do I handle the issue of background checks, including those involving sensitive personal data such as criminal records?

Employers should exercise caution when conducting background checks on prospective employees. Background checks typically require employers to liaise with third parties such as previous employers or recruitment agencies and as such employers are processing applicants’ personal data. Often, employers are processing sensitive personal data such as medical records and/or criminal convictions.

It was previously commonplace in Ireland for employers to request prospective employees to submit a data access request for their criminal record to An Garda Síochána (the Police) and to provide the employer with a copy of such record. Save for roles that require Garda vetting (individuals working with or undertaking an activity, of which a necessary and regular part of it consists of having access to or contact with children or vulnerable adults) in Ireland there is no mechanism allowing for criminal records to be accessed by employers during background checks.

Employers can only process criminal offence data if the processing is either under the control of an official authority or authorised by EU or member state law. Section 55(1)(b)(v) Data Protection Act 2018 provides that the processing of criminal offence data is permitted when authorised by the law of the State.

Employers must identify a lawful basis (which may be in pursuance of a legitimate interest of the employer) under Article 6 of the GDPR for any processing of personal data they undertake in relation to a vetting process. Article 6(1)(c) of the GDPR provides that processing is lawful when “necessary for compliance with a legal obligation to which the controller is subject”. Where employers are processing special categories of personal data, they must also identify a lawful basis under Article 9 of the GDPR such as explicit consent or protection of vital interests which would allow such data to be processed.  An employer would also be required to carry out a data protection impact assessment (“DPIA”) for processing personal special categories of personal data or personal data relating to criminal convictions and offences. There is, however, nothing to prevent an employer from asking a prospective employee to declare that they have no previous criminal convictions or criminal history which might affect their suitability to perform a particular role.

The Data Protection Commissioner (the “DPC”) has highlighted the importance of transparency when conducting background checks.  It is therefore necessary that employers do not carry out background checks unless you have clearly informed the candidate that you are doing so and have sought consent from the prospective candidate to carry out same. It is furthermore recommended not to carry out background checks prior to the offer stage of the recruitment process.

Are there particular issues in checking candidates’ social media profiles?

Employers are conducting social media background screening and using networks such as Facebook, Twitter, and LinkedIn to screen candidates’ profiles as part of the recruitment process. Employers should not assume that merely because an individual’s social media profile is publicly available, they are then allowed to process this data for their own purposes. Any type of data processing, including social media background screening, requires a proper legal basis and legitimate interest. The GDPR also requires that employers only view social media profiles when the information is relevant to the position being applied for.

To avoid the risk of any potential legal actions, employers should have a clear policy in place on the use of social media profile screening in recruitment and candidates should be notified in advance of the recruitment process that their social media profiles may be screened as part of the hiring process. Any information obtained by employers should be provided to the candidate for their comments and candidates should also be given the opportunity to respond if any aspect of their social media has negatively influenced their application before a decision is made by the employer on their application. It is important that employers conducting social media screening limit their data collection on finding relevant and necessary information to the candidate’s job performance and recruitment decision rather than a fishing expedition, as employers pose the risk of processing excessive personal information of candidates.

Can I ask candidates about their Covid-19 vaccination status?

The vaccination status of a candidate is health data, therefore special category data under article 9 of the GDRP and it may only be processed on limited grounds.

An employer cannot ask a candidate their vaccination status in the same sense as they cannot ask a candidate about pregnancy, marital status or sexual orientation. In order to process or collect that data, an employer would need a lawful legal basis to do so. The DPC has published guidelines (last updated November 2021) setting out the DPC’s advice on the processing of COVID-19 vaccination data in the context of employment and the Work Safely Protocol. In the guidance notes, the DPC has made it clear that currently, there is no general legal basis for employers to request information on the vaccination status of an individual.

In the absence of specific legislation in this area, an employer could potentially argue that collecting vaccination data is a necessity in terms of maintaining the health of the public or to achieving ‘legitimate interests’ pursuant to Article 6(1)(f) of the GDPR. However, the employer would be required to show that the aim is both necessary and proportionate, and any data collected must be limited to what is necessary. The DPC considers that the decision to get a vaccine is voluntary and therefore a COVID-19 vaccination should not in general be considered a necessary workplace safety measure. Consequently, the processing of vaccine data is unlikely to be necessary or proportionate in most employment contexts.

The DPC acknowledges some specific employment contexts within which the processing of data revealing vaccination status may be deemed necessary, subject to a risk assessment and with reference to sector-specific public health guidance to determine whether the measures that they consider necessary require knowledge of employees’ vaccination status. For example, the Guide to Professional Conduct and Ethics for Registered Medical Practitioners states that medical practitioners “should be vaccinated against common communicable diseases”. In those specific situations, it is possible that an employer would be able to establish a lawful legal basis to know whether a person has been vaccinated or not, for the purposes of managing the health of safety of workers and visitors.

The guidance will be subject to review of the public health advice and laws relating to the nature of the virus, the pandemic, and the interplay with any vaccination change. However, until such time that the guidance is revised, it is recommended that employers continue to exercise caution in seeking vaccination status data and should only process vaccination data where necessary to achieve a specific, legitimate purpose in line with general and sector-specific public health advice as they as they may be exposed to legal risks. The DPC has further cited the principle of data minimisation laid down in the GDPR in its guidelines, it notes that employers should implement all such measures that avoid processing the personal data of employees in the first place.

Are employees entitled to lie or to omit information; if information is subsequently found to be false, what can I do?

If a prospective employee lies or omits information during a recruitment process, this can become problematic for an employer when the individual hired for the role does not have the sufficient qualifications or experience necessary to perform the role. In the event of such misrepresentation by the employee, there are procedures available to the employer to lawfully terminate the employment contract pursuant to those procedures.

How should I deal with the personal data of unsuccessful candidates?

The Data Protection Act 2018 and GDPR requires that personal data be retained “for no longer than is necessary” for the purpose for which the personal data was processed by a data controller. This requirement places an obligation on employers to be clear about the length of time personal data will be retained and the reasons why the data is being kept. In order to be compliant with the data protection legislation, it is advisable for all employers to have a policy in place on retention periods for personal data that is obtained in a recruitment process. This policy must include defined retention periods for personal data (such as cv’s, cover letters, and interview notes) and a systematic disposal of personal data within a reasonable period after the retention period expires. The DPC recommends a period of retention of personal data for one year in these situations.

Furthermore, Article 30 of the GDPR, provides for records of processing activities and obliges data controllers (including employers), to set out the envisaged time limits for erasure of the different categories of data. Employers could be liable to a fine up to a maximum €20,000,000 or 4% annual global turnover (whichever is greater) for failure to comply with the GDPR. The GDPR also provides for a right of erasure or the “right to be forgotten” and data subjects (candidates) have the right to request that personal information be erased where the personal data is no longer necessary for the purpose for which it was obtained by the data controller (the employer). It is recommended to retain interview and other recruitment records of unsuccessful candidates for a period of at least one year following the conclusion of the recruitment process, in order to defend against any potential claims such as discrimination in the recruitment process. It is also common for employers to retain data of unsuccessful candidates for future recruitment purposes, however, in doing so, employers must ensure that they notify the applicants and that the candidates are either given the opportunity to consent or to object to the retention and on objection, the employer disposes of the personal data obtained.