Recent official statistics are scarce, but anecdotally it seems that many employers are using social media searches as part of their recruitment processes.
A survey from 2017 by YouGov suggests that nearly one in five organisations have decided not to employ a candidate because of what the employer saw online. And it is reasonable to assume that this figure has gone up rather than down.
Organisations are increasingly aware that whatever they can see in a google search of their potential new joiner can also be seen by their clients, potential clients, collaborators and the wider world.
Employers don’t want to hire an unsuitable candidate, and certainly not one who poses reputational risk. Online due diligence may reduce such risks. However, searching applicants online is not entirely straightforward. This piece looks briefly at some of the legal risks connected to online searches and gives some tips on mitigating those.
An online search could reveal information about an individual’s professional and private life, including about their social interests, habits, marital status, sexual orientation, religion, political affiliation etc.
Different applicant demographics are likely to have varying approaches to what and how much they share online (for example, younger applicants may be more likely to have more about themselves online and more personal information).
This opens the potential for consciously or (more likely) unconsciously discriminatory decision-making. Even if the information from the online search has no bearing on the decision taken, this doesn’t prevent an unsuccessful applicant saying that in their view the real reason they didn’t get the job was because of x or y seen online.
Data protection & privacy
There are also data protection risks, which exist whether you conduct the checks or engage a third party to do it.
Most online information is of course publicly available, but be aware that UK GDPR still applies to public domain data. Still greater care must be taken to ensure searches do not stray into non-open-source areas. Examples would be befriending or “adding” an applicant, or information over which the applicant may have a reasonable expectation of privacy.
You should not assume privacy rights do not apply because something is online. Applicants may have a reasonable expectation that certain personal information posted on social sites would not be accessed and, crucially, not be taken into account as part of the recruitment process.
For example, people have a significant amount of biographical information online which may be very historic, particularly personal, which they have not put there themselves or have limited editorial control over (eg photos of or comments about the applicant made by friends or contacts on a Facebook wall), such that it could feel inappropriate for this to be considered by a recruiter.
Remember: whatever the source of the information, you will be a “data controller” of whatever you collect. This means that you need to be proportionate and targeted in what you use, and whatever you collect you should not keep beyond the recruitment process, or, if the candidate is successful, you should be transparent about what you are retaining and why. In any event, your privacy notices should make it clear what searches you undertake.
Bad data means bad decision making?
It is highly likely that some information found online will be out of date (or undated), partial, unreliable, or misleading. This increases the risk of complaint from applicants who feel this information has been inappropriately used in a recruitment decision and could result in recruiters being unjustifiably put off applicants who are in fact well suited for the role.
In light of some of these risks ACAS’s recruitment advice says that employer should:
“Avoid using information that's on someone's personal social media profile, for example Facebook, Twitter or Instagram, to decide whether you interview or hire them. You might be breaking the law, particularly if either of the following points apply: they did not agree to you using the information in this way; [and / or] you looked at some applicants' social media profiles, but not others.”
If you do want to carry out online searches, we would suggest the following:
- Be transparent: ensure that applicants know at an early stage what your policy is in relation to online searches.
- Be proportionate: target searches as far as possible to ensure that only information that is relevant to the applicant’s suitability for the role.
- Be consistent: apply a consistent approach to all applicants. This does not necessarily mean that you need a blanket approach, but, for example, that the triggers for conducting a search are applied fairly and consistently.
- Give the applicant an opportunity to respond: if the information found online will be taken into account, give the applicant an opportunity to comment on it, so you have the full picture before making a decision. Remember that the information may be inaccurate, incomplete or misleading.
- Consider data protection / privacy issues: you should hold and process the data in accordance with your data protection policy and set out what you do in your privacy notice. In addition to this, as above, put the applicant on specific notice of your approach. While consent is generally unsuitable as a basis for processing in an employment or recruitment context, it may be a valid and practical consideration when undertaking background checks.
- Evaluate your risk assessment approach: use a consistent and fair risk assessment approach when considering the information found online as part of your recruitment decision, and have guidelines and training to help ensure that irrelevant information is not taken into account and discriminatory decisions avoided.
- Record-keeping: keep a good record of the search undertaken, results and what was done with it and decisions made.
- Consider using third parties: engaging a third-party processor on suitable terms where proportionality and lawfulness is assured may mean the employer need not see everything that is collected or viewed: they would simply get a report as to suitability, or perhaps red flags only. AI and algorithms can know what to search for in terms of keywords without any person “reading" or recording the impactful data itself. While it is legally vital that it is a human and not a machine making the key decisions, automation and use of reputable third parties can actually assist in the proportionality of the process and the minimisation of data collected by the employer.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, September 2023