In December, the ICO announced that it is developing an online resource with topic-specific guidance relating to employment practices and data protection. The ICO intends to release draft guidance on the different topic areas bit by bit, basing updates on feedback from stakeholders, before publishing the final guidance (which looks as if it will link to much of the ICO’s existing, non-employment-specific, guidance).
The initial draft guidance from the ICO offers information for employers on their data protection obligations and focuses on two key areas – “Keeping employment records” and “Recruitment and selection”.
Keeping employment records
This draft guidance provides direction on how organisations can comply with data protection laws when managing employee records. It provides specific guidance on a wide-range of topics related to employee record keeping, including on sharing workers’ personal information with other entities, what factors should be taken into account when providing employment references, what lawful bases apply when processing employment records, employees’ rights to access personal data, and how records can be kept accurate and up to date. The draft consultation for the guidance can be found here.
Recruitment and selection
This draft guidance is directed at employers and organisations involved in recruitment, including agencies, head-hunters, and consultancies. It encompasses all categories of employment relationships, such as employees, contractors, volunteers, and gig/platform workers.
Employers and recruiters often handle sensitive information during the recruitment process, including health, diversity, or criminal convictions data. In addition, organisations are increasingly turning to AI technologies to reduce the burden on recruitment teams. The guidance aims to help data controllers understand their obligations relating to recruitment data by providing greater regulatory certainty, explaining how candidates’ data protection rights can be protected, and helping employers and recruiters carry out effective recruitment exercises to comply with the relevant data protection law.
As with other ICO guidance, this guidance adopts a must, should, could framework, differentiating between legislative requirements (must), good practices (should), and optional considerations (could) to enhance compliance with data protection obligations.
The draft consultation for the guidance can be found here.
Practical tools
Both sets of guidance include practical tools such as checklists and examples. These tools are intended to offer tangible resources for employers to implement the recommended measures effectively and will serve as a practical aid for organisations to assess and enhance their data protection practices.
Public consultation
Public consultation on the draft guidance is open until 5pm on 5 March 2024, with the ICO welcoming feedback.
This comprehensive approach from the ICO underscores its commitment to transparency and the ongoing public consultation period will provide an opportunity for relevant stakeholders to contribute valuable insight into the guidance’s refinement.