The world's most frenetic search for new employees came to its conclusion a month or so ago, as football's January transfer window closed with the now established merry go round of last minute moves. Aubameyang to Arsenal, Alexis leaving Arsenal and Mkhitaryan departing Manchester were the headline grabbers as England's top clubs looked to bolster their squads heading into the season's business end.
For the most part, football due diligence comprises a pragmatic assessment of what a player can do on the pitch. Pierre-Emerick Aubameyang's allegedly contrarian stance towards the end of his employment at Dortmund did nothing to deter Arsenal when placed in the context of his goal scoring record, while newspaper claims that Alexis Sanchez offered a student £1,000 for a night of passion behind his girlfriend's back were never going to put Manchester United off securing his signature.
A more meticulous approach?
Nevertheless, there are indications that football clubs (and other employers) are adopting an increasingly meticulous approach to recruitment, especially in the age of social media. In December 2017 The Times published an article detailing the use of investigative firms by top football clubs as a means of conducting due diligence on existing and targeted players. The ever intensifying scrutiny which those in prominent roles are subject to means that this kind of analysis is only likely to increase. Employers' concerns centre on the potential for skeletons to emerge from the closet, affecting not only the individual's reputation but also that of the organisation.
In football, the club has often, in the past, been able to ride out the reputational damage caused by most footballer related crises, although the high-profile case of Adam Johnson's relationship with an underage girl is a notable example where there was significant collateral damage, leading to the resignation of Sunderland's chief executive, Margaret Byrne. On another level, the evidence would appear to suggest that troubles at home can lead to deterioration in performance levels, which, in the highly pragmatic world of professional sport, is what matters most. See Tiger Woods for the ultimate example.
In any case, the recent spate of allegations relating to the treatment of women by men in powerful positions means that the usual attitude of "footballers being footballers" is unlikely to carry weight. It is therefore hardly surprising to learn of the lengths to which football clubs are going to manage risk. From a legal perspective, there are of course important considerations in any intelligence gathering exercise on current or future employees (outside the standard giving of references and DBS checks). These include, in particular, the privacy and data protection rights of the individual concerned.
Privacy rights and data protection
Analysis of information already widely available to the public, including for instance on social media accounts, is unlikely to amount to a breach of privacy. Specifically, the individual is likely to find it difficult to establish that they had a reasonable expectation of privacy in relation to the information.
However, the position under data protection law (as set out in the Data Protection Act 1998 (DPA) and, from 25 May 2018, the General Data Protection Regulation (GDPR)) is more complex. Under GDPR, organisations will be considerably more accountable for the way they process personal data and must, in particular, keep a record of what processing was undertaken and the lawful basis for it. For obvious reasons, intelligence and investigative firms are not often going to be able to rely on the consent of the individual. As such, they will need to consider alternative reasons for processing; the most obvious of these appears to be the "legitimate interests" of the football club or other organisation which provides the instructions, including (for instance) the protection of the organisation's reputation. Nevertheless, firms will need to have a clear understanding of why they consider the intelligence gathering satisfies the legitimate interests requirement.
The situation becomes yet more complicated as the level of intrusion into the individual's personal life increases. Sensitive personal data or "special categories of personal data" as they are known under GDPR (such as information about political opinions or sex life) that have been "manifestly made public" by the individual (such as on their Facebook account) are not (in general) subject to the restrictions imposed by data protection law. But where this is not the case, the bases on which this kind of data can be processed are more stringent.
In particular, the legitimate interests ground does not apply in relation to sensitive personal data, meaning that (unless the information has been made public by the individual) organisations will need to rely on one of the other grounds listed in the DPA or, shortly, GDPR. Two grounds that will often be relied upon in the absence of consent or where information has not been made public are where the processing is necessary for the establishment, exercise or defence of legal claims or for reasons of "substantial public interest". However, in reality, it is difficult to envisage why either of these would apply when conducting due diligence on individual players prior to transfer, or indeed on existing employees (aside from where, for example, there are justified suspicions of unlawful activity or misconduct).
A more hopeful avenue might be the argument that the information gathering on players is necessary for the purposes of carrying out obligations and/or exercising rights in the context of employment, meaning that consent is not required. Employers could legitimately argue they have a right to know if there is anything likely to cause damage to the organisation's reputation and integrity. Both the DPA and GDPR provide for this type of processing. However, neither explicitly states whether third parties (such as intelligence firms) can rely on the relevant provisions where they carry out work for current or prospective employers; the legislation refers to the obligations and rights of the data controller (i.e. the organisation that determines the purpose for which the data is being processed) but it is not clear whether this can only be the employer (e.g. a football club) or also any other data controller (such as an intelligence firm) involved.
While organisations that simply process data on behalf of the controller may be able to argue that any liability should be passed on to the controller, this is not necessarily the case when it comes to intelligence firms. They could themselves be data controllers (they will usually for instance determine the methodology they use for collating information and reporting on the subjects of their work). As such, they will need to demonstrate that they, as well as the employer, should benefit from the employment condition for processing.
In more general terms, under the current ICO Code of Practice, vetting of potential employees is permitted by employers but a number of considerations have to be taken into account. Specifically, the Code of Practice suggests football clubs would need to demonstrate that there are significant risks involved to them (or other individuals/organisations), such as to their reputation. The Code also states that vetting should be done as late as practicable in the recruitment process (in this context, that is likely to mean no earlier than when negotiations for the signing of a player have commenced) and should only be used as a means of obtaining specific information and should not be used as a means of general intelligence gathering.
Prospective employees should also be notified that vetting might take place and what sources will be used. This latter point may of course result in a clear up job on a player's internet profile, thereby artificially removing potential areas of concern. As such, there may be a legitimate basis on which to provide a relatively short period of notice in respect of proposed intelligence gathering. Of course, in many cases (especially where more covert means are involved) the preference will be not to notify at all. Where this is so, there is a clear risk that any intelligence gathering will constitute a breach of data protection laws; this is all the more so given the notification requirements set out in Article 14 GDPR (which arguably veer too far towards the rights of the individual when one considers the work of companies like intelligence firms). As such, it may come down to a simple balancing of the commercial risks of failing to notify against the long-term reputation and potential performance risks of signing a player with a negative back story.
Finally, it goes without saying that any attempt to intercept an individual's private communications will not only be a breach of privacy but also (in all likelihood) amount to a criminal offence under the Regulation of Investigatory Powers Act 2000 and section 55 of the DPA.
In reality, the high skill levels of many investigative companies mean that a huge amount of information can be gleaned from sophisticated online searches against publicly available information. In most cases, this will be sufficient to satisfy organisations (be it a football club or FTSE 100 company concerned about the behaviour of a potential CEO) of the level of risk that the individual may pose to their reputation, performance or balance sheet. Indeed, organisations would be well advised to consider this sort of analysis in respect of individuals entering prominent and/or high profile roles. Such online analysis is not without legal risk (especially in the minefield that is data protection law) but is certainly easier to justify than more covert methods. In the latter cases, a much more detailed analysis of the privacy rights of the individual is essential in order to prevent the organisation falling foul of litigation, the wrath of the Information Commissioner, adverse publicity or (worst of all) a combination of all of these.
If you require further information on anything covered in this briefing please contact Tom Rudkin or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, March 2018