Your company is hiring for a new position. You have interviewed several unsuitable candidates and are starting to worry, but then in walks the star applicant.  You are about to make an offer, then you wonder – "what's on their Facebook account?"

Determining whether a candidate will be a 'good fit' for the business and suitable for a role can be difficult.  Employers usually want as much background information as possible about the applicant before making a job offer in order make such an assessment. But what are the limitations of and consequences of using background information that is readily available on social media sites and elsewhere during the recruitment process?

The Data Protection Act 1998 (DPA) governs the processing of personal data in the UK and applies during the recruitment process as much as to the employer-employee relationship.  This means there are likely to be consequences if an employer collects or uses information about people as part of a recruitment or selection process without taking the DPA into account. The label on the employment status or relationship is, to a certain extent, irrelevant; where personal data is collected, stored or processed, the obligations under the DPA will apply and this will extend to all current and former applicants, employees, agency staff, contract staff and even volunteers or work experience placements.

Pre-employment checks: general principles

Employers should remember that information gathered, along with discussions about a candidate's suitability, can be the subject of a data subject access request.  This should cause employers to think twice when using social media, as they may be not be comfortable having to disclose that they have taken a quick look at Facebook, for example, and commented on the information or pictures they have found.

Likewise, employers should consider what they, if they were in the candidate's shoes, might find acceptable in terms of background checks and searches.  As a general rule, candidates are more understanding of criminal background checks particularly where such checks can be justified.  They are much less understanding of searches of social media, because such sites and networks are commonly used in a personal, not professional, capacity.

In order to help employers comply with the DPA and to encourage good practice, the Information Commissioner's Office (ICO) has published the Employment Practices Code (the Code). The Code deals with the impact of data protection laws on the employment relationship and covers issues such as obtaining information about workers, the retention and disclosure of records and access to any such records.

The Code provides extensive 'good practice' recommendations with regard to the handling of applicants' personal data at different stages of the recruitment process,  including the advertising of the job vacancy, the handling of applications, short-listing, interviews, pre-employment vetting and verification and the retention of recruitment records.

Verification and Vetting: what's the difference?

The term "verification" relates to the checking of details already provided by an applicant to ensure that such details are accurate and complete (for example, checking any qualifications or references listed on a CV).

In contrast, "vetting" requires the employer to actively make their own independent enquiries from third parties about the applicant (for example, searching an applicant's social media profile or performing a criminal background check with the Disclosure and Barring Service (DBS – formerly the Criminal Records Bureau). Consequently, vetting is usually seen as a more active and potentially intrusive step in the recruitment process.

Vetting: what is 'good practice'?

According to the Code, "vetting should only be used where there are particular and significant risks involved to the employer, clients, customers or others and where there is no less intrusive and reasonably practicable alternative." Below are a few examples of good practice which should be adopted by employers during the vetting process:

  • prospective employers should inform applicants that vetting will take place and what form it will take (e.g. social media, criminal history, credit check). This will provide applicants with a chance to 'clean-up' their online profiles or, at the very least, alter their privacy settings appropriately. This is often the very thing the prospective employer hopes to catch, a "warts and all" snapshot of their potential employee recorded on their social media accounts.  But, perhaps because of the obvious different uses of social media (a LinkedIn profile commonly has a very different purpose to, say, a Facebook wall) and in line with the principle of freedom and right to a private life, UK data laws protect employees to a certain extent from such intrusion;
  • vetting should be undertaken at as late a stage as is practicable in the recruitment process, (i.e. only once an applicant has been short-listed or has been conditionally appointed);
  • applicants should be given the opportunity to comment and make representations on the accuracy of any findings. This is intended to mitigate any risk that the employer relied on false information in making its decision;
  • vetting should only be used as a means of obtaining specific information to fulfil clearly stated objectives, not as a means of general intelligence gathering – in other words, employers cannot treat the vetting process as a fishing expedition;
  • employers should only seek information from reliable sources where it is likely that relevant information about the applicant will be revealed; and
  • the search should be proportionate in relation to the role. For instance, a more senior and public-facing role will require a more detailed check compared to those roles of a lesser nature.

Vetting: what searches can be performed?

Online and social media checks

The internet has opened the gateway for recruiters to search an applicant's online presence with relative ease and low cost - depending how relaxed the applicant's privacy settings are. Social media sites such as Facebook, Twitter, LinkedIn and Instagram provide another avenue, easily accessed, for employers wanting to gain insight into applicant beyond the image presented during the formal recruitment process.

Employers should routinely remind themselves, in line with the Code's recommendations, not to "place reliance on information collected from possibly unreliable sources", such as social media sites. Online profiles are not always created or controlled by the person they appear to refer to, and may or may not be within an applicant's control or their consent. At a more innocent level, there may be other individuals who share the same name as an applicant and have social media accounts in that name.  The key questions are: how sure can you be that the profile relates to the candidate you are considering; and how sure can you be that the social media account gives an accurate representation of that candidate?

The ICO has warned against employers using deception in order to gain access to an applicant's social media profile, for instance, by attempting to 'friend' the applicant and using a fake identity in the process. The ICO has also warned against employers asking applicants to provide their username and password in order to conduct a full review of their social media account.  Whilst this is less common, employers have used this approach, incorrectly thinking they can effectively sidestep risks in relation to accessing social media accounts.

Aside from the potential to damage the employment relationship and mutual trust and confidence, such risky behaviour is likely to leave employers open to claims and liabilities as a consequence.  From a practical perspective, it is also likely to put off other candidates applying to your organisation.  In addition to potential data protection breaches associated with such actions, employers also run the risk of obtaining information about "protected characteristics" (such as information relating to age, sexual orientation, marriage status, disability, race and religion). If a protected characteristic is found during the search, then the applicant may subsequently claim that the decision not to hire them was based on one or more of those characteristics and therefore discriminatory.

Applicants may also argue that checking their online profiles constitutes a breach of their right to respect of their private life under the European Convention of Human Rights. However, it should be noted that the Employment Appeal Tribunal has previously held that any information an individual has made publicly available on the internet cannot reasonably be considered to be part of their private life. As such, a claim on this basis is unlikely to succeed as the law currently stands, but as social media, technology and the law evolve and the lines between public and private become ever more blurred, this may change.

Right to work and criminal background checks

The employer is not released from its data protection obligations in respect of right to work and criminal background checks.  All employees must provide evidence of their right to work and such information will be personal information.  In addition, certain roles (particularly those in the caring professions and involving vulnerable adults and children, for example) may require the employer to check an applicant's criminal background.  In such cases, requests for criminal history information should only be made to the DBS and only in respect of the applicant the employer intends to recruit.

The underlying position is that employers are not entitled to request information regarding an applicant's criminal record without a reason for doing so.  In line with the Code's recommendations, employers should only request information regarding an applicant's criminal history to the extent that such information can be justified in terms of the role offered.  As good practice and in order to mitigate any risks, employers should also limit the collection of information to offences which have a direct bearing on suitability for the role in question; for example, if the role contains financial responsibilities, the employer could show proportionality by limiting the collection of information to convictions for fraud.

Note that an employer should not ask for 'spent' convictions unless the job is covered by the Exceptions Order to the Rehabilitation of Offenders Act 1974 (e.g. medical practitioners, solicitors, accountants).  Spent convictions are treated differently, and employers should also be aware that there may be additional sanctions under the Rehabilitation of Offenders Act separate and in addition to any data protection consequences.

Moreover, in March 2015, s56 of the DPA, the last section of the DPA to come into force, became law, making it a criminal offence for an employer or prospective employer to force its employees or job applicants to obtain a copy of their criminal records by means of a subject access request and then supply it to the employer in connection with their recruitment or continuing employment. It also prevents any person from requiring another person to make this kind of subject access request as a pre-condition to supplying them with goods or services. The point of this is to prevent details of spent convictions being released and to ensure that these sorts of criminal records searches are carried out under the criminal records disclosure regime operated by the DBS.

Credit checks

Depending on the role and the company's business, employers may want to conduct a credit check against an applicant to check their financial background.

As with criminal background checks, the search should be proportionate. As such, it is more likely to be considered necessary and appropriate for an employer to perform a credit check against an applicant who is applying for a senior role involving financial duties (e.g. a financial director), as opposed to a junior role or a role which does not contain any financial responsibilities (e.g. a graphic designer).

Employers face the difficult challenge of striking a balance between seeking information in order to hire the right candidates and complying with their obligations under the DPA.  The more data employers collect regarding an applicant, the more they will 'know' about the candidate when deciding whether or not to offer employment.  However, in doing so, employers stand a greater chance of breaching their obligations under the DPA and other statutes.

Employers should focus on proportionality of any searches carried out and should be transparent with applicants in respect of the vetting process.  Proportionality will differ on a case-by-case basis, largely depending on the company's business, the role and the responsibilities assigned to the role.  As such, individuals in charge of the recruitment process should think twice before typing an applicant's name into Facebook.