The hiring process involves gathering a lot of candidate information. This information usually includes a candidate's employment history, education, personal data, feedback collected from referees and more sensitive details such as police and other background checks relevant to the job.
Crucial steps in effectively protecting candidate information are to know the risks involved, the privacy laws that exist and best practices on storing their data.
In this blog, we cover:
Candidate data privacy
Risks involved in data privacy
Privacy laws that affect candidate information
Suggestions for safeguarding data
Candidate data privacy
Candidates who may become your employees in the future need assurance that their personal information is safe and correctly handled.
Here's a list of what recruiters need to be mindful of when gathering candidate information and when conducting pre-employment checks:
Candidate consent may be required for sensitive information.
Before collecting any personal data from candidates, you should disclose how your organisation might use and handle data.
In some countries, candidates may have the right to request for the prospective employers to disclose some personal data relating to themselves after the employment process is completed.
Risks involved in data privacy
It’s helpful to be fully aware of the slip-ups that can happen with data.
Data Breaches: There are 3 types of data breaches that can occur
Confidentiality Breach: A confidential breach is when there is an unauthorised or accidental disclosure.
Integrity Breach: An integrity breach is when there is an unauthorised or accidental alteration of personal data.
Availability Breach: An available breach is when there is accidental or unauthorised loss of access to or destruction of personal data.
Reputational damage: Negative publicity surrounding data breaches can have an impact on an organisation's reputation.
Data privacy laws protecting candidate information
Do take note that countries may have varying privacy laws based on states. It is also possible that countries may extend their laws through the nationality of a person even if they may not be residing in the country.
We’ve listed some of the common data protection laws below.
Australia data privacy laws
The Privacy Act 1988 regulates how personal information about an individual can be collected, used and disclosed. The Privacy Act outlines 13 Australian Privacy Principles. More detailed information and explanation about privacy principles can be found here at the Office of the Australian Information Commissioner
General data protection regulation (GDPR)
GDPR is the most rigorous privacy legislation. There may be heavy penalties for those found to have violated these set of laws.
Here's how GDPR may affect the hiring process:
You may want to ensure that your candidates have consented to the collection of data;
Data collected should be related to your purpose and should only be for legitimate purposes;
You should disclose the use and handling of their data to the candidates through privacy policies; and
Ensure that you have data protection measures in place.
The Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is canada’s primary privacy legislation. It governs how private sector organisations collect, use, and disclose personal information across Canada.
Here's how PIPEDA may affect your hiring process
As the prospective employer, youmay be responsible for protecting all personal information under its control.
There should be a clear purpose before collecting any information.
Companies should obtain a person's consent before collecting, using or disclosing their personal information.
Suggestions for safeguarding data
Practice good privacy governance: Elements of strong privacy governance include having robust policies, processes, and tools to help manage data privacy and breach issues.
Create a Privacy Policy: You should be open and transparent about how you handle personal information to gain your candidate's trust.
Only collect the information relevant to the job role
Notify individuals when you collect their personal information: Notify them or make them aware of the collection (ideally beforehand) when collecting personal information about individuals.
Protect the personal information you hold: To help avoid data theft or mishandling, ensure the systems and software you're using are reliable, secure, and compliant.
Obtaining relevant certification: Standard certifications such as ISO 270001 ensure data compliance and storage.
Create a data usage policy: Create a clear policy that specifies types of access, conditions of access. Include who has or could have access to the data, what constitutes correct usage of data, and so on. Also ensure, that all policy violations have clear consequences.
Apply access control to sensitive data: To ensure the right people access data, you can implement access control. This could mean implementing different levels of privileges depending on who needs to access it.
Ensure robust security measures: You should have a security policy to protect personal information and use good security measures. Your organisation should regularly review data protection and compliance measures and ensure they are updated.
Where do you go from here?
As a starting point, you should consider:
Analysing current internal HR procedures and processes for any required updates
Engaging technical support and ensuring that the relevant practical changes to IT systems are in place
Assessing the way you speak directly and indirectly to stakeholders about your data privacy policies
We have provided you with a data compliance checklist to guide you through this process
Do you have a robust consent process in place for your data handling? Essentially, you must be able to clearly demonstrate approval of data processing from the individual you are dealing with.
Are you creating a data handling audit trail? Compliance documents are a must-have. Developing a comprehensive and accurate record of data processing systems and their use will give you peace of mind. It will, ultimately, save you and your organisation time and stress if an audit trail is required.
Do you understand the process of data destruction? The so-called "right to be forgotten" is another major element of data compliance. You will be expected to store data for as long as is necessary, but no longer. Ensure you have a process for this even if it may seem a burden to implement. For some legislations, the longer you hold onto someone's data, the greater the liability.
Are your staff adequately trained in the new data handling requirements? Understanding the regulation and ensuring compliance will be made all the more achievable for HR staff if it is taught in context. That said, they must also understand the importance of the steps they take to comply, within the context of your organisation as a whole.
Do your suppliers and solutions help or hinder your data handling compliance? While organisations are likely responsible for maintaining records of data processing activities, the suppliers you employ are responsible for maintaining records of all personal data processing they carry out on your behalf.
Many service providers will already have ensured that they are fully compliant - as we have at Xref - in order to avoid any potential loss of contract when clients begin carrying out data protection impact assessments.
Why Xref?
Being in the industry for over 10 years has given us vast experience and knowledge of data compliance risks and standards. We have a security-first mindset towards our customers, here are some of the top reasons why our clients trust us:
Compliance & governance: Xref is ISO 27001 certified, offering globally compliant data collection and storage. Xref is equipped to meet all regulatory requirements to ensure every candidate is assessed fairly.
Advanced password and security policy alignment: With Xref, organisations can customise access to accounts, ensuring tighter security.
Data sharing and tracking: With the Xref solution, hiring teams can define who can access the reference checking information and receive reports.Xref has enabled this by creating rules that allow reports to be sent only to those defined as appropriate by account administrators. We've ensured that while we've made the solution user-friendly, it follows compliance regulations.
IP-based access restrictions: An IP (Internet Protocol) address is a unique string of numbers and dots that identifies a device on the internet. Think of it as a phone number for your computer or device. Xref allows users to define a list of IP addresses that can access the platform. Any IP address not on the safelist is unable to log in. Organisations can safelist devices from the same proximity (like the office) or the same geography, for example.
Regionalised data storage: With the introduction of the GDPR, many European organisations require all data storage and handling to be conducted in Europe. Xref has regional data centres to host European data locally.
Extended security log function: Xref allows account administrations to monitor every action taken by users on their Xref account. The platform function creates an audit trail of all account activity and usage. It ensures organisations have a clear view of the handling and management of any data securely stored on their Xref account.
Extended user management: With multiple users accessing one account, the platform needs to ensure that only current and appropriate access. Xref enables account admins to manage this. Measures such as an inactive user alert notify admins of users who have not logged in for an extended time so that they can be deactivated.
It’s time to step up your candidate privacy
Candidates share very personal information with employers with the understanding that their information will be kept safe and confidential. It is the duty of organisations to demonstrate to candidates that their information is treated with care. Xref offers the assurance of a fully compliant online checking platform. If you’re interested in knowing more about our solution, book a demo with our specialist today!
Disclaimer
Please note that the information represented on this blog are opinions and suggestions of the author only and do not constitute legal advice. Xref is not liable for any omissions and inaccuracies for the use and reliance of this information. Please seek further advice from a legal professional.