16 Mar 2022
In the new, more “virtually-focussed” world ushered in by the pandemic, employers face a new challenge in how they vet future employees, says Trinity Hall Fellow Dr David Erdos.
Employers have “always” snooped on their employees but social media gives them an even greater ability to see inside the personal lives of their staff and judge them accordingly.
Such cyber-snooping has been around as long as social media but it has grown and deepened during the pandemic and institutions, like the Information Commissioner’s Office (ICO), could do more to recognise the issues created by this, argues Dr Erdos.
In a recent article in The Economist Dr Erdos said that, while it is becoming more common, companies ought to warn candidates of any systematic screening that may take place and the candidate should have a chance to object to this.
“This has been growing since the big shift to online working during COVID and raises significant GDPR issues,” he added.
GDPR is short for General Data Protection Regulation which was signed up to by the UK as part of EU membership, but remains part of domestic law post-Brexit.
Under the regulations the sort of systematic vetting of social media some companies undertake should, argues Dr Erdos, trigger the need for a Data Protection Impact Assessment (DPIA).
“This is because it will, in the sense referred to in the statutory list produced by the Information Commissioner’s Office, involve comparing personal data obtained from different sources and also, potentially, the use of special-category data to make decisions on access to an opportunity or benefit.”
In other words, the way the data is intended to be used by the company can pose a likely high risk to the rights and freedoms of the applicant which, in turn, means it should draw up and act upon a DPIA. That DPIA would provide a mechanism for ensuring that: the applicant’s rights and freedoms have been appropriately protected; that legality, including as regards any special category data (eg regarding health or political opinions) is ensured; and that the applicant is properly informed. But the law is lagging behind the real-world says Dr Erdos: “This sort of processing is growing and indeed becoming normalised so it would be good to see more involvement from the ICO.”
There’s a need to grapple with the reach of the GPDR and to ensure a greater focus on activities which can seriously impact data protection rights, argues Dr Erdos: “There’s a huge need in the law to develop a graduated approach which properly distinguishes between relatively innocuous online processing and systematic and intrusive processes which merit close granular scrutiny.”
For prospective employees, the impact of such vetting could mean the difference between getting a job and being informed that, this time, their application has been unsuccessful. Many people, including students looking towards their career, are scared that their social media profiles could haunt them in years to come – as exemplified by footballers being brought to book for comments made a decade or more in the past.
Dr David Erdos is Co-Director of the Centre for Intellectual Property and Information Law (CIPIL) and WYNG Fellow and Director of Studies in Law at Trinity Hall.