November 11th, 2021 | Mark Sward, Vice President and Global Head of Privacy
Top 5 GDPR Hang-Ups in Background Screening
As privacy professionals in the background screening industry, my team and I face daily questions about how to perform background screening and identity services in line with rapidly evolving global privacy rules. The one that usually receives the most attention, unsurprisingly, is the General Data Protection Regulation (GDPR), which has been in effect in the European Economic Area and the United Kingdom since 2016.
The GDPR poses some interesting problems when trying to develop a background screening program. While it would be futile to try to cover every consideration here, I’d like to share my top five GDPR hang-ups and some thoughts on how to solve them.
1. Controller or Processor?
When an organization (like an employer) engages a service provider (like Sterling) to process personal data, one of the first questions that comes up is whether the service provider is a “controller” or a “processor”. A controller determines the purposes and means of data processing, either alone or jointly with others. A processor processes personal data on behalf of a controller. In some cases, the distinction between a controller and a processor is clear: for example, when a service provider simply makes available some data storage capacity for its customer to use however it likes, without outsourcing data processing, transferring data across borders, or granting access to its own employees or third parties, the customer is clearly the controller and the service provider is clearly a processor.
It becomes more complicated when the service provider has a more active role in deciding how to handle data, as is arguably the case for background screeners. Background screening and identity services involve some data processing activities where a service provider is clearly a processor (like providing a passive platform to allow candidates to fill in forms or upload documents), and others where the service provider may well be a controller (like performing criminal record checks under a contract with the local government or operating under a regulatory framework which requires it to determine how or whether to carry out screening services).
The question becomes critical when negotiating contracts, as the GDPR sets out very specific requirements for contracts between a controller and a processor or between joint controllers. To further complicate the matter, many organizations are not well prepared to handle controller-controller agreements and instead prefer to put in place controller-processor agreements with all service providers, regardless of the nature of their service. In short, there are various risks, conflicting opinions, and market forces at play.
So, what is my solution to this GDPR hang-up? I like to cover all the bases and start with relatively standard controller-processor terms in line with Article 28 of the GDPR (and in line with market demands), call out the exceptions where the service simply doesn’t permit the service provider to behave like a processor, and then supplement the whole thing with clear accountability for candidates’ rights as required of joint controllers under Article 26 of the GDPR. That way, everyone knows who is responsible for what, and no matter what a regulator decides, the parties have a compliant contract.
2. Candidate Consent
Conventional privacy wisdom dating back decades says that “Consent is King”: if the candidate signs off, then you can collect, process, and disclose the data. The GDPR turned that thinking on its head, and instead pushes organizations to find other grounds under the law to process data without needing to put the onus on the candidate to read lengthy privacy notices and decide whether to consent or not.
This is particularly important in the context of work, where the party signing the paychecks usually has quite a bit of influence over the worker. European data protection regulators have made clear that consent is not a viable basis for mandatory data processing in employment, and generally any screening program must be mandatory to be effective.
While there are instances that a background check or identity service could be based on consent — particularly where the candidate has clear choices, will not suffer any negative consequences for exercising those choices, and benefits from the data processing — in the vast majority of cases, my thinking is to steer clear of consent and identify the true driver for the data processing. Is it necessary to comply with a legal obligation? Is it necessary to fulfill a contract with the candidate? Or is it based on another “legitimate interest”? If grounds other than consent under the GDPR cannot be found, the organization should think about whether it truly needs to process the data.
But then, why have a candidate sign a form at all before background screening begins? Doesn’t that send the message that the candidate has a choice? Yes, it might — but also, screening requires third parties to hand over confidential data. They will almost invariably refuse to give you any personal information about a candidate unless they can see a signed form saying it’s authorized. In fact, the third party may be relying on the candidate’s consent for that disclosure under the GDPR, even though the employer is not. Most candidates will not think too much about the distinction, but it’s worth pointing out in a privacy notice which parties are relying on consent and which are not, so the candidate understands what choices they really have.
One of the most critical obligations under the GDPR is to provide clear, understandable information allowing individuals to understand how their data will be handled and their rights under the law. When choosing a background screening provider, many organizations assume that their screening provider will take care of the GDPR-mandated notices on their behalf, but I believe that assumption is a mistake. A screening provider may well provide samples and background information that will help ensure GDPR transparency obligations are met, but some of the key information — like why the screening is taking place and how the reports will be used in decision making — is outside the screening provider’s view and may vary widely among the provider’s customers. For this reason, I always encourage organizations to carefully review any sample notices they receive and tailor them to their screening program and the purposes and legal grounds for the data they request. Failing to meet the organization’s transparency obligations can have multiple consequences: not only is there a potential compliance gap, but eagle-eyed candidates may get nervous if they see information that is not relevant in a sample notice, like a reference to screening services that aren’t even in scope of the hiring organization’s program. This can break down trust at a key early juncture in the relationship, or be an opportunity to increase transparency and alignment with candidates.
4. One-Off Data Transfers
Contrary to popular belief, the GDPR does not forbid transfers of personal data outside the EEA or the UK. However, it does generally require data that is transferred to benefit from equivalent protections to the GDPR wherever it goes. It sets out in detail how that can be achieved, including through the use of standard contractual clauses issued by regulatory authorities, applying for binding corporate rules across a global group of companies, and of course adequacy decisions where authorities will declare certain non-European countries (or sectors within countries) to be safe for European data.
Many of these require stable commercial arrangements between parties, though, which are not possible in all circumstances. What if your European employee did a stint working in South Africa and you’d like to verify their employment and criminal history there? It is very unlikely that your organization nor your background screening partner would have a contract stipulating data protection terms with the candidate’s former employer or, for that matter, with the South African criminal authorities who are very unlikely to agree to restrictive contractual terms with a private company. To exchange information with these parties on a one-off basis creates a compliance issue: how can the data transfer be legitimized under the GDPR?
Now that we’ve tossed out consent as a basis for screening in the first place, let’s bring it back. The GDPR sets out several derogations to the required safeguards for cross-border transfers, and consent is one of them. A common position in the screening world is that the only way to transfer data across borders in these types of one-off circumstances is with the candidate’s consent. For that consent to be legitimate, you likely need to give candidates a choice: they can allow the hiring organization or the screening provider to transfer the data and save themselves the time and effort, or they can obtain documentary proof on their own and pass it along. The more conservative approach, of course, is simply not to conduct any checks outside of Europe, but this may create much greater risks elsewhere, such as failing to meet a regulatory or contractual obligation to screen employees, and it also may go against an organization’s policy to build a strong culture and to create trust and safety for their people.
5. Criminal Conviction Data
The final GDPR hang-up I’d like to explore is Article 10, which regulates the use of criminal conviction data. Or, more aptly, it punts regulation of criminal data to each individual European country. While I’ve heard concerns from time to time that Article 10 bans criminal record screening in Europe outright, I can confidently say it does not: in fact, employment criminal checks are commonplace in many European countries. The key is to review the rules in each country to ensure, first of all, that the data is available (this is something a screening provider should know: some countries have established a mechanism to obtain criminal history for employment; others have not). If the data is available, then the second key point is whether the employer (or other user of the screening report) has grounds to collect it. While a screening provider may have some high-level information on this, only legal counsel can advise on whether a criminal history check is permissible in the circumstances. This will depend on the country, the industry, the company’s risk tolerance, and even the role and responsibilities the candidate will occupy. There are no black-and-white answers as to when it is appropriate and proportional to collect criminal history information, and I strongly encourage all organizations to carefully consider the question of criminal record checks on a country-by-country basis and for each category of roles as they develop their screening program.
This blog post is part of a Compliance blog series, diving into compliance trends, best practices, and updates.
Sterling is not a law firm. This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.