The Kenya Data Protection Act is set to impact all areas of business and more so, the HR or staffing function. In the “HR Professionals Guide to Data Protection” I gave broad insights on how the Act will affect the HR department. In this article, I consider the potential impact in the area of staff recruitment.
1. Increased Transparency
Under section 25 (b) of the Act, data controllers and processors (e.g. employers or recruitment agencies) must ensure that personal data is processed lawfully, fairly, and in a transparent manner. What does this mean? First, you must have a lawful basis for processing the data. Second, you should process data fairly i.e. as per reasonable expectations of the data subject. Finally, your data collection practices must be transparent. In other words, you should be open and honest about how you will collect and process personal data.
In the context of staff recruitment, transparency may be demonstrated in the following ways:-
- Privacy Policy: You should have a privacy policy that sets out how you collect, use, process, and protect personal data. It should also set out your basis for processing various categories of information, the rights the applicants have to the data, and how they may exercise those rights. The Privacy Policy must be communicated to your applicants. If you have a recruitment portal or website, it should be available on the site and the candidate should be made aware of its existence. If you do not have a portal, you may consider communicating your policy by email. Verbal explanations should be followed by written communication. The key thing is that you should be able to show that you openly communicate your data protection practices.
- Sourcing Candidates – be careful about how you call for and receive job applications. Some of your traditional sourcing practices such as sourcing CV’s from your networks and sharing them on email can expose you to data privacy breach claims. To avoid issues, develop a formal way of calling for job applications. For example, you can request the applicants to apply for a job through your HR recruitment portal. Before uploading any information on the portal, the applicants should have an opportunity to read and consent to your privacy policy. If you use public social media profiles like LinkedIn, be sure to identify yourself to the candidate i.e. name and organization you are recruiting for, and seek the candidate’s consent to engage further with them.
- Background Checks: inform applicants early in the recruitment process if you intend to carry out any verification or background checks. Also, seek their consent before you start conducting the checks. An applicant has a right to object to the checks. If this happens, you ought to stop the process, review the applicant’s reasons, and respond appropriately. Finally, if someone asks you for information about a worker’s record or a reference for them, you should only do so if you have the consent from the person whose information is being requested.
- Video Interviews: recruiters need to understand the privacy and security settings offered by video chat platforms and determine their adequacy. They should also seek the applicant’s consent to the video interview including consent to record the interview. A few tips for enhancing privacy include: using a unique user ID and passwords for each interview, require passwords to join, do not recycle passwords, lock the meeting once all participants have joined, and finally, update your video conferencing solution software to the latest versions.
2. Data Minimisation
Data minimisation is a key principle in data protection. It holds that one should only collect personal data that is adequate and relevant for the intended and identified purposes. In other words, the staff recruitment process should be designed with an emphasis on the collection of relevant information.
For instance, if the potential employer is a government institution, the application documents may include a CV and clearances from various governmental authorities e.g. police, tax, credit institutions, etc. All these may be necessary to comply with the vetting requirements laid out in the Constitution or other relevant laws. However, a private organisation may not need all these documents at the initial stages of recruitment. Asking for them too early may be intrusive to privacy. In practice, recruiters should only ask for detailed documents from candidates who are successful in the interview process.
Again, if you intend to carry out background checks, avoid vetting all the prospective candidates. Instead, vet those who have been selected for a particular role. Vetting should not be turned into an intelligence gathering exercise. Instead, it should be focused and have a direct bearing to the role at hand.
3. Record Management
Records are central in the staff recruitment process. The Data Protection Act not only demands proper record keeping but also secure and efficient management of records. In the staff recruitment process, pay special attention to the following areas:-
- Document/Data Security – you should have a secure means for receiving applications from candidates. If you are receiving applications on a system, ensure there are adequate passwords and controls for accessing the system. You should also know who has access to the system and adequately train them on maintaining privacy and confidentiality of information. If you are receiving applications by hand, direct them to a named person and ensure that they are securely received by the named person. Store physical copies in secure filing cabinets.
- Document Retention – establish a data retention policy that dictates how long you will retain recruitment records. You should not keep information for longer than necessary. If you would like to consider a candidate for a future role in the organisation, inform them as such. Also, offer them an opportunity to object to the use of their information.
- Data Access Requests: Applicants/employees have the right to receive their personal data in a structured, common, and machine-readable format. They can also request for transfer of data from one employer to another, erasure of the data, rectification of data, or object to the processing of any data. You should have a process in place for dealing with each data-related request.
4. Recruitment Agency Compliance
Employers often engage recruitment agencies to source and fill identified vacancies. Under the DPA, employers, and recruitment agencies have similar obligations in relation to the protection of personal data. This means that besides the employer, recruitment agencies must also take the measures outlined above to comply with the Act.
Some practical considerations for the agencies include:
- Sourcing: You should have your own Privacy Policy (i.e. distinct from your client’s policies). You can place the policy on your website/recruitment portal and ensure that applicants are made aware of its existence by having a pop-up checkbox with a link to the policy. If you intend to advertise future job opportunities to the applicants by email or SMS, give them an opportunity to opt-in or out of the ad service.
- Data Retention: Develop policies on how long you shall retain data. Delete or destroy any information that you do not require
- Consent: before processing any information, give users an opportunity to consent to the process of their data.
- Contracts: Have contracts in place with your clients which include your data protection compliance obligations.
- Data Security: You are responsible for putting in place security measures to protect personal data from loss or destruction or misuse. If you decide to use an Applicant Tracking System, choose one that prioritizes data security.
5. Data Sharing and Transfers
You may need to share recruitment information within your organisation or with external third parties. In this case, you need to have contractual arrangements in place with data protection clauses outlining each party’s obligations in relation to data protection.
Recruitment data should not be transferred outside Kenya unless there are adequate security safeguards in place for its protection and the applicants have consented to such transfers.
6. Data Breaches
If any personal data you hold is lost, misplaced, or tampered with, you have an obligation to report the same to the Data Commissioner’s office within very strict timelines. In addition, you face the risk of criminal sanctions, financial penalties, and legal suits. Therefore, you should have an organisational policy and process in place to recognise, isolate, mitigate, and respond to all security incidents. You should also inform your employees that they must duty report breaches as soon as they become aware of them. Finally, update your employment contracts and disciplinary policies to include privacy and reporting obligations.