When school leaders think about data protection, the first people that probably spring to mind are the pupils. But schools also handle teachers’ data, not only from their current personnel, but also staff who may have long since left, as well as those who may never have even set foot in the building.
When you’re recruiting a member of staff, whether you handle the process yourself or use an agency, you’ll end up holding many CVs and application forms. Each one could contain lots of personal data, some of which may be sensitive. Anything from an address to criminal-record details could end up on your systems, and you now need to ensure this data is processed in compliance with General Data Protection Regulation (GDPR).
To help you make sure your recruitment doesn’t land you in trouble with the Information Commissioner’s Office (ICO), we spoke to Mark Taylor, a partner at law firm Osborne Clarke and an expert in data protection, for some advice.
GDPR and recruitment: what’s changed since the Data Protection Act?
Although the new European Union legislation, GDPR, is receiving a lot of attention, it isn’t bringing in brand-new rules. The regulations build on guidelines already set out in the Data Protection Act. However, a few key changes need to be adhered to when recruiting.
Transparency about reasons for collecting data
Previously, giving over your personal data could result in your details being used for things you didn’t realise you'd signed up for. Confusing opt-in messages would result in your inbox being filled with marketing emails or job offers from all over the country. The new regulations make this kind of practice much harder.
“You need to be clear with individuals when you collect their data about why you’re collecting it," says Taylor. “The transparency requirements also mean you need to tell them how long you’re going to keep it.”
Keep data only as long as necessary
Having a huge archive or CVs that you can flick through for future vacancies is now off limits.
“Practically speaking, schools are going to need to have a process in place for determining how long they’re going to keep candidate information on file," says Taylor. “They also need to decide at which point they’re going to delete it. It’s certainly not going to be sensible to keep it indefinitely.”
One of the new additions to GDPR is the large penalty that could be incurred in the event of any infringement. The figure of a €20m fine has been widely publicised, although this is a maximum, and one that schools won’t be landed with. However, smaller penalties could occur, so it’s best not to risk the wrath of the ICO.
Find out more on the GDPR's potential penalties
Ensuring your recruitment process is compliant
Your recruitment process needs to follow the same steps towards compliance that any other element of your school has taken. You must map your data flows, raise awareness and prepare to handle a breach. But certain elements demand particular attention. Whether you use an external recruiter or keep things in-house, here are some pointers.
Use a compliant recruitment agency
If you opt to use an external recruiter, they are classed as a data processor, so you need to have the necessary data-processor contract in place. It will make for an easier ride if you do some due diligence on your chosen recruiter prior to entering an agreement.
“There are different degrees of market practice in recruitment,” says Taylor. “Schools should be looking at how that recruiter gathers data and how it sources candidates, and be confident that it does it in a compliant fashion. Some recruitment companies do a lot of scraping of data off social media and it’s not that that’s now forbidden, but doing that in a compliant way is becoming a bit harder or a bit more complicated.”
“Privacy policies are the mechanism by which you provide people with what we call the fair processing information,” says Taylor. “They are a valuable tool. That information needs to be provided to people when their data is collected.
Opt for the bare minimum
The less data you hold, the less work you have to do to keep it secure. If you’re asking for things such as criminal-record checks at the application stage, you’re increasing the quantity of sensitive data on your system, which only increases your risk of a serious data breach.
“Schools should be looking critically at which information they’re collecting and validating that under GDPR," says Taylor. "They should be asking whether they actually need it."
“There aren’t hard and fast rules, and schools will take different views on what they require depending on the circumstances in which they’re recruiting and possibly the type of role they’re recruiting for.”
You should also look closely at the length of time you store personal data. This should also be kept to a minimum.
Keep incoming data secure
If your applications or CVs are being submitted directly by candidates, then make sure they have a secure environment in which to do so.
If they’re coming from a recruiter, then the agency should have a secure process for transferring this data.
Just because you’re using a compliant recruitment agency, it doesn’t mean your process is fully compliant.
“The key thing for schools to consider is how they will handle day-to-day receipt from recruiters and how recruiters can help them do that in a complaint fashion,” says Taylor. “When the school receives data from a recruiter, they will then be processing personal data and they will need to comply with the transparency requirements with the candidates.”
Make sure you can deal with subject access requests
Aside from a data breach, a subject access request is the most likely way you’ll end up in trouble over data protection. If you can’t respond to an individual exercising their right to erasure or data portability, then they have every right to raise it with the ICO.
“It’s important for schools to evaluate where these individual rights may apply to them, says Taylor. “They then need to ensure their processes are able to handle a request that’s made under one of those rights in practical terms.
“For example, if someone objects to your processing of personal data, can you actually deal with that objection and implement it within your process?”
Mark Taylor is a partner and data protection expert at law firm Osborne Clarke.
Find out more on subject access requests