GDPR Compliance in Background Checking

Impact of the GDPR

The EU General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/EC and came into effect on 25 May 2018. The GDPR is intended to harmonise the data protection laws across Europe and change the way that data privacy is approached by organisations across the region.

Background checking is an industry that deals predominantly with the collection, use, transfer and storage of personal information/data. Therefore, the introduction of the GDPR has had an impact on the industry worldwide, regardless of the location of the candidate, client or background checking organisation.

As a privately owned Australian organisation, PeopleCheck is covered by the Australian Privacy Act 1988 (Cth) (the Privacy Act); however, we also need to comply with other legislation as it impacts the background checking we provide for entities both in Australia (public and private sectors) and international locations. We need to comply with the GDPR as we offer goods and services in the European Union to candidates regarding their background checking. Many of the requirements of the GDPR are in line with the provisions of the Privacy Act and are covered by PeopleCheck’s existing processes around privacy and data protection. However, PeopleCheck has made a number of changes to background checking documentation and processes to ensure complete compliance with the GDPR for our clients and candidates in some areas specifically addressed by this new legislation.

This article is not intended to summarise the GDPR; this legislation is extensive and many resources are available providing commentary regarding its impact and the implementation and maintenance of compliance measures. This article is intended to highlight the ways in which PeopleCheck ensures full compliance of our background checking processes with the GDPR in four specific areas of the GDPR where additional measures on the part of PeopleCheck have been implemented: consent, the right to be forgotten, cross-border disclosure and suppliers.

1. Consent

Personal data may only be processed under the GDPR if one of the ‘conditions for processing’ set out in Article 6, applies. One condition for processing is that the individual ‘has given consent to the processing of his or her personal data for one or more specific purposes’ (Article 6(1)(a)). In addition, ‘explicit consent’ is generally required to process ‘special categories’ of personal data (Article 9).

PeopleCheck has always obtained explicit, informed consent from all candidates prior to undertaking background checks. However, the GDPR includes a new definition of consent, which states that it must be: freely given, specific, informed, and an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing’ (Article 4(11)). Additionally, consent is not freely given if the individual has no genuine or free choice or is unable to refuse or withdraw consent at any time (Article 7 and recital 42).

PeopleCheck has amended our Privacy Policy and Consent Form so that the withdrawal of consent is as easy as giving consent, and, before candidates give consent, we are informing candidates about this right to withdraw consent, in line with Article 7(3).

Additionally, the GDPR requires that a consent form is used as the lawful basis for processing. That consent form must be explicit about the data collected and the purposes data is used for. In regard to pre-employment verifications, some organisations may interpret that there cannot be a consent per say as it is not freely given (due to the employer-employee relationship). A candidate may have to provide/sign an “Authorisation Letter to release Personal Data” which mentions the Controller’s name (the employer) and the Processor’s name (including PeopleCheck) in order to proceed with the verifications.

Many organisations and institutes may require specific consent forms mentioning the name of our client, PeopleCheck and their details in order to release information. PeopleCheck will manage such requirements on a case-by-case basis. We have also covered this area within our candidate consent form, explaining that “Some organisations we contact may have their own processes for releasing your information; these are mandatory and often in line with data protection legislation outside of Australia…it is important that we follow them.”

2. Right to be Forgotten

The GDPR includes the right to erasure (known as the ‘right to be forgotten’) and gives individuals a right to require data controllers/processors to delete their data in certain circumstances, including where the information is no longer necessary for the purpose for which it was collected, or where the individual withdraws their consent and there is no other legal ground for processing their data (Article 17). There are exceptions to this right, including where data processing is necessary to exercise the right of freedom of expression and information. There is no equivalent ‘right to erasure’ under the Privacy Act, however APP 11.2 requires an APP entity that holds personal information to take reasonable steps to destroy the information or to ensure it is de-identified if the information is no longer needed for any purpose permitted under the Privacy Act.

This process to erase or de-identify information at the request of the candidate has been a practice of PeopleCheck for some time and has now been formalised and documented for candidates. We have amended our Privacy Policy and Consent Forms to provide candidates with the option to request that their data is destroyed or de-identified once no longer required.

3. Cross-border Disclosure

Under the GDPR, personal data may be transferred outside the European Union to countries or international organisations that provide an adequate level of data protection. The GDPR sets out in detail the factors the EU Commission is to consider when deciding whether a third country or international organisation ensures an adequate level of protection (Article 45). The European Data Protection Board is required to provide the Commission with an opinion assessing the adequacy of a country or organisation’s level of data protection (Article 70(1)(s)).

Where the EU Commission has not decided that a third country’s level of data protection is adequate, overseas transfers are permitted in some limited circumstances, including that the candidate, having been informed of the possible risks of such transfer, explicitly consents. (Article 49(1)(a)).

Our consent form includes references to the candidate’s personal data being stored in Australia and the United states and includes a section where they can control the transfer of their data to other international locations, as many be relevant to their background checking based on their background/residency. Candidates are also required to acknowledge they understand any risks associate with providing their information and/or any transfers.

4. Suppliers

PeopleCheck has Supplier Terms and Conditions that apply to all suppliers to PeopleCheck’s business, including any in-country partners that may be utilised in the process of undertaking international checks for candidates where these are relevant based on their background. All suppliers are required to review and confirm compliance with these Terms and Conditions on an annual basis throughout their engagement with PeopleCheck, in conjunction with the completion of a comprehensive Security Survey. Under the GDPR, as a Processor, PeopleCheck must impose on suppliers the same requirements as would be imposed on PeopleCheck by clients with GDPR requirements (Article 28(4)).

Our Supplier Terms and Conditions have been updated to ensure that PeopleCheck’s suppliers comply with the GDPR. Specifically, suppliers must agree to: processing personal data only on the instructions of PeopleCheck; confidentiality obligations; security measures; not engaging other subcontractors / processors of data without authorisation; meeting data subject rights; obligations regarding security breaches and Privacy Impact Assessments; processes on termination of engagement and PeopleCheck’s access in order to audit compliance with requirements.  

As PeopleCheck’s client, what do I need to do?

Given PeopleCheck’s internal measures to comply with the GDPR and thorough communication with candidates regarding their consent, right to be forgotten and cross-border disclose of their personal information, there are no additional measures that you need to take in order to safeguard the sharing of your candidate/employee personal data under the GDPR. However, if your organisation has offices that are based in the European Union, some specific requirements may apply to the processing and/or transfer of the personal information of your current and/or prospective employees. If you have any specific conditions or requirements relating to the processing and/or transfer of your candidates’ personal information, please ensure that you advise our team.

More Information

If you have any specific aspects that you would like more information on in terms of how PeopleCheck will handle your candidates’ personal data and the impact of the GDPR on the background checking process, please contact us via phone on +612 4023 0603 or email us at validate@peoplecheck.com.au.

References

•  GDPR – http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
• The Privacy Act: https://www.legislation.gov.au/Details/C2018C00034
• PeopleCheck’s Privacy Policy: https://peoplecheck.com.au/privacy-policy/