6 ways The Data Protection Act Impacts Staff Recruitment
The Kenya Data Protection Act is set to impact all areas of business and more so, the HR or staffing function. In the “HR Professionals Guide to Data Protection” I gave broad insights on how the Act will affect the HR department. In this article, I consider the potential impact in the area of staff recruitment.
1. Increased Transparency
Under section 25 (b) of the Act, data controllers and processors (e.g. employers or recruitment agencies) must ensure that personal data is processed lawfully, fairly, and in a transparent manner. What does this mean? First, you must have a lawful basis for processing the data. Second, you should process data fairly i.e. as per reasonable expectations of the data subject. Finally, your data collection practices must be transparent. In other words, you should be open and honest about how you will collect and process personal data.
In the context of staff recruitment, transparency may be demonstrated in the following ways:-
- Background Checks: inform applicants early in the recruitment process if you intend to carry out any verification or background checks. Also, seek their consent before you start conducting the checks. An applicant has a right to object to the checks. If this happens, you ought to stop the process, review the applicant’s reasons, and respond appropriately. Finally, if someone asks you for information about a worker’s record or a reference for them, you should only do so if you have the consent from the person whose information is being requested.
- Video Interviews: recruiters need to understand the privacy and security settings offered by video chat platforms and determine their adequacy. They should also seek the applicant’s consent to the video interview including consent to record the interview. A few tips for enhancing privacy include: using a unique user ID and passwords for each interview, require passwords to join, do not recycle passwords, lock the meeting once all participants have joined, and finally, update your video conferencing solution software to the latest versions.
2. Data Minimisation
Data minimisation is a key principle in data protection. It holds that one should only collect personal data that is adequate and relevant for the intended and identified purposes. In other words, the staff recruitment process should be designed with an emphasis on the collection of relevant information.
For instance, if the potential employer is a government institution, the application documents may include a CV and clearances from various governmental authorities e.g. police, tax, credit institutions, etc. All these may be necessary to comply with the vetting requirements laid out in the Constitution or other relevant laws. However, a private organisation may not need all these documents at the initial stages of recruitment. Asking for them too early may be intrusive to privacy. In practice, recruiters should only ask for detailed documents from candidates who are successful in the interview process.
Again, if you intend to carry out background checks, avoid vetting all the prospective candidates. Instead, vet those who have been selected for a particular role. Vetting should not be turned into an intelligence gathering exercise. Instead, it should be focused and have a direct bearing to the role at hand.
3. Record Management
Records are central in the staff recruitment process. The Data Protection Act not only demands proper record keeping but also secure and efficient management of records. In the staff recruitment process, pay special attention to the following areas:-
- Document/Data Security – you should have a secure means for receiving applications from candidates. If you are receiving applications on a system, ensure there are adequate passwords and controls for accessing the system. You should also know who has access to the system and adequately train them on maintaining privacy and confidentiality of information. If you are receiving applications by hand, direct them to a named person and ensure that they are securely received by the named person. Store physical copies in secure filing cabinets.
- Document Retention – establish a data retention policy that dictates how long you will retain recruitment records. You should not keep information for longer than necessary. If you would like to consider a candidate for a future role in the organisation, inform them as such. Also, offer them an opportunity to object to the use of their information.
- Data Access Requests: Applicants/employees have the right to receive their personal data in a structured, common, and machine-readable format. They can also request for transfer of data from one employer to another, erasure of the data, rectification of data, or object to the processing of any data. You should have a process in place for dealing with each data-related request.
4. Recruitment Agency Compliance
Employers often engage recruitment agencies to source and fill identified vacancies. Under the DPA, employers, and recruitment agencies have similar obligations in relation to the protection of personal data. This means that besides the employer, recruitment agencies must also take the measures outlined above to comply with the Act.
Some practical considerations for the agencies include:
- Data Retention: Develop policies on how long you shall retain data. Delete or destroy any information that you do not require
- Consent: before processing any information, give users an opportunity to consent to the process of their data.
- Contracts: Have contracts in place with your clients which include your data protection compliance obligations.
- Data Security: You are responsible for putting in place security measures to protect personal data from loss or destruction or misuse. If you decide to use an Applicant Tracking System, choose one that prioritizes data security.
5. Data Sharing and Transfers
You may need to share recruitment information within your organisation or with external third parties. In this case, you need to have contractual arrangements in place with data protection clauses outlining each party’s obligations in relation to data protection.
Recruitment data should not be transferred outside Kenya unless there are adequate security safeguards in place for its protection and the applicants have consented to such transfers.
6. Data Breaches
If any personal data you hold is lost, misplaced, or tampered with, you have an obligation to report the same to the Data Commissioner’s office within very strict timelines. In addition, you face the risk of criminal sanctions, financial penalties, and legal suits. Therefore, you should have an organisational policy and process in place to recognise, isolate, mitigate, and respond to all security incidents. You should also inform your employees that they must duty report breaches as soon as they become aware of them. Finally, update your employment contracts and disciplinary policies to include privacy and reporting obligations.Disclaimer: The information on this blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no advocate-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional advocate, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation. The information on the blog may be changed without notice and is not guaranteed to be complete, correct or up-to-date. While the blog is revised on a regular basis, it may not reflect the most current legal developments.