The hiring process involves gathering a lot of candidate sensitive information. This information usually includes a candidate's employment history, education, personal data, feedback collected from referees and more sensitive details such as police and other background checks relevant to the job.
Candidate data privacy is crucial and should not be taken lightly. When you protect the privacy of your future employees with every reasonable method available, both your staff and the entire company will be safer as a result.
Crucial steps in effectively protecting candidate information are to know the risks involved, the privacy laws that exist and best practices on storing their data.
In this blog, we cover:
- What does candidate data privacy look like
- Risks involved in data privacy
- Privacy laws that affect pre-employment checks
- What employers should know about reference checking data (best practices)
Candidate data privacy
Candidates who may even become your employees in the future need the assurance that their personal information is safe and correctly handled. Hence, data protection and privacy matter for future employees.
Here's a list of what recruiters need to be mindful of when gathering candidate information and when conducting pre-employment checks:
- Candidate consent is crucial, without which a recruiter or organisation cannot gather or store personal information.
- Before collecting any personal data from candidates, they need to be aware of the process and information you intend to collect.
- Collecting the personal data of candidates also means the companies will need to be accountable for how their personal data is used.
- Candidates may even have the right to request organisations to provide information on how their personal data is used. Companies are required to provide such individuals with accurate information on this.
Risks involved in data privacy
It’s helpful to be fully aware of the slip-ups that can happen with data.
- Accidental sharing of data: People make mistakes, and sometimes data breaches occur due to employees who accidentally share, misplace or mishandle sensitive data. Employees need to be trained on data handling to ensure the proper process is always conducted.
- Privacy violations: Organisations need to adhere to national or international laws; risks of not following compliance can attract heavy fines.
- Reputational damage: Negative publicity surrounding data breaches can have an impact on an organisation's reputation.
Data privacy laws protecting candidate information
We’ve listed some of the common data protection laws below. Different countries may have different local laws and it’s possible that they may apply to other countries when a service is offered to individuals from other nations.
Australia data privacy laws
The Privacy Act 1988 regulates how personal information about an individual can be collected, used and disclosed. The Privacy Act outlines 13 Australian Privacy Principles, making consent a must before collecting or revealing personal information.
Personal information includes a candidate's name and address, which employers usually need to collect. It may extend to sensitive information such as race, age, gender and religion.
Information obtained by referees is bound by these laws, which means:
- That candidates need to be consulted before approaching alternative or additional referees
- If a supervisor has not been listed, a recruiter needs to first request permission from the applicant to obtain a reference from them.
The Privacy Act also requires businesses to store information gathered during recruiting securely.
General data protection regulation (GDPR)
GDPR is the toughest privacy and security law not only in the European Union (EU) but across the world. Under the GDPR, organisations will be required to keep records of all personal data and prove that consent was given to use it. Businesses may need to show where the data is going, what it is being used for, and how it is being protected.
GDPR penalises heavy fines against those who violate its privacy and security standards.
In terms of recruiting, here's how GDPR affects the hiring process:
- Organisations need to have candidate consent
- Data can be collected only for specified, explicit and legitimate purposes
- Companies need to have clear privacy policies, and recruiters are obliged to make those policies available to candidates.
- Companies need to assume the responsibility of data compliance and security.
The Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA sets the ground rules for how private-sector organisations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada.
PIPEDA ensures the protection of personal information in the course of commercial business.
In terms of recruiting, here's how PIPEDA affects the hiring process
- The prospective employer is responsible for protecting all personal information under its control.
- There must be a clear purpose before collecting any information.
- Companies need to obtain a person's consent before collecting, using or disclosing their personal information. The candidates and referees must understand what they are consenting to. So it's essential to use language that is easy to understand, to explain to people what information is being collected and the purpose for which it will be used.
- Companies have a responsibility to protect personal information in an appropriate manner.
Best practices for collecting and storing reference checking data
Businesses can enjoy the benefits of taking a best practice approach if they do the following:
- Practice good privacy governance: Elements of strong privacy governance include having robust policies, processes, and tools to help manage data privacy and breach issues.
- Only collect the information relevant to the job role: Only use or disclose personal data for the purpose you collected it.
- Notify individuals when you collect their personal information: Notify them or make them aware of the collection (ideally beforehand) when collecting personal information about individuals.
- Protect the personal information you hold: To help avoid data theft or mishandling, ensure the systems and software you're using are reliable, secure, and compliant.
- Ensuring relevant certification: Standard certifications such as ISO 270001 ensure data compliance and storage.
- Create a data usage policy: Create a clear policy that specifies types of access, conditions of access. Include who has or could have access to the data, what constitutes correct usage of data, and so on. Also ensure, that all policy violations have clear consequences.
- Apply access control to sensitive data: To ensure the right people access data, you can implement access control. This could even mean implementing different levels of privileges depending on who needs to access it.
- Ensure robust security measures: You should have a security policy to protect personal information and use good security measures. Your organisation must regularly review Data protection and compliance measures and ensure they are up to date.
Where do you go from here?
As a starting point, you should consider:
- Analysing current internal HR procedures and processes for any required updates
- Engaging technical support and ensuring that the relevant practical changes to IT systems are in place
- Assessing the way you speak directly and indirectly to stakeholders about your data privacy policies
- Ensure you have the right protocols in place, we’ve shared a checklist below.
Data compliance checklist
To ensure you have the right protocols in place, here’s a checklist:
- Do you have a robust consent process in place for your data handling?Essentially, you must be able to clearly demonstrate approval of data processing from the individual you are dealing with.
- Are you creating a data handling audit trail?Compliance documents are a must-have. Developing a comprehensive and accurate record of data processing systems and their use will give you peace of mind. It will, ultimately, save you and your organisation time and stress if an audit trail is required.
- Do you understand the process of data destruction? The so-called "right to be forgotten" is another major element of data compliance. You will be expected to store data for as long as is necessary, but no longer. Ensure you have a process for this even if it may seem a burden to implement. For some legislations, the longer you hold onto someone's data, the greater the liability.
- Are your staff adequately trained in the new data handling requirements? Understanding the regulation and ensuring compliance will be made all the more achievable for HR staff if it is taught in context. That said, they must also understand the importance of the steps they take to comply, within the context of your organisation as a whole.
- Do your suppliers and solutions help or hinder your data handling compliance? While organisations are likely responsible for maintaining records of data processing activities, the suppliers you employ are responsible for maintaining records of all personal data processing they carry out on your behalf.
Many service providers will already have ensured that they are fully compliant - as we have at Xref - in order to avoid any potential loss of contract when clients begin carrying out data protection impact assessments.
Being in the industry for over 10 years has given us vast experience and knowledge of data compliance risks and standards. We have a security-first mindset towards our customers, here are some of the top reasons why our clients trust us:
- Compliance & governance: Xref is ISO 27001 certified, offering globally compliant data collection and storage. Xref is equipped to meet all regulatory requirements to ensure every candidate is assessed fairly.
- Advanced password and security policy alignment: With Xref, organisations can customise access to accounts, ensuring tighter security.
- Data sharing and tracking: With the Xref solution, hiring teams can define who can access the reference checking information and receive reports. Xref has enabled this by creating rules that allow reports to be sent only to those defined as appropriate by account administrators. We've ensured that while we've made the solution user-friendly, it follows compliance regulations.
- Location-based access restrictions: As cloud-based technologies become common solutions, organisations often seek to restrict their geographical usage. With Xref, these restrictions are possible by introducing IP and location-based access policies to accounts.
- Regionalised data storage: With the introduction of the GDPR, many European organisations require all data storage and handling to be conducted in Europe. Xref has regional data centres to host European data locally.
- Extended security log function: Xref allows account administrations to monitor every action taken by users on their Xref account. The platform function creates an audit trail of all account activity and usage. It ensures organisations have a clear view of the handling and management of any data securely stored on their Xref account.
- Extended user management: With multiple users accessing one account, the platform needs to ensure that only current and appropriate access. Xref enables account admins to manage this. Measures such as an inactive user alert notify admins of users who have not logged in for an extended time so that they can be deactivated.
It’s time to step up your candidate privacy
Candidates share very personal information with employers with the understanding that their information will be kept safe and confidential. It is the duty of organisations to demonstrate to candidates that their information is treated with care. Xref offers the assurance of a fully compliant online checking platform. If you’re interested in knowing more about our solution, book a demo with our specialist today!