GDPR blog #2: The complexities around handling psychometric data

This blog was written by Johannah Palmer, Edgecumbe’s Office Manager, Data Protection Officer, Information Security Administrator and Service Manager for the Doctor 360 team. This is the second blog in our series on psychometrics data within the context of GDPR. In her first blog, Johannah set out the issues to consider when using psychometrics for employment purposes. In this second blog, she will focus on why psychometrics are special category data and the consequences of their special status for HR professionals.

Key points  

• Psychometric data are regarded as health data and are subject to the additional safeguards which apply to all special category data – something that HR professional need to be aware of so that can handle the data accordingly.
• By default, processing special category data (including psychometric data) is prohibited under the UK GDPR. In order to do so, not only must a lawful basis be identified under Article 6, but a permitted exception must also be established under Article 9.
• Explicit consent may not be a suitable permitted exception when processing psychometrics so it may be more appropriate to use other lawful bases, such as legitimate interest or contractual obligation, to process psychometrics for recruitment, employment, and development purposes.

Psychometrics as special category health data

Under the UK GDPR, special category data are those considered to be particularly sensitive, due to the risk to an individual’s rights and freedoms that their misuse could entail. These include data on an individual’s health. Under the current Data Protection Directive, ‘health data’ encompasses a broader range than ‘medical data’ and includes information about a person’s intellectual and emotional capacity. For this reason, psychometric data are regarded as health data and are subject to the additional safeguards which apply to all special category data, meaning that HR professionals should be aware of the risks associated with handling psychometric data.

The implications for HR professionals of handing special category psychometric data

• Enhanced data protection requirements: HR professionals must adopt additional data protection measures, implementing appropriate technical and organisational measures to safeguard the data, and limiting access to authorised personnel only.
• Increased legal and compliance risks: HR professionals need to ensure that their data handling practices include establishing a suitable legal basis and permitted exceptions for processing, maintaining data confidentiality, and adhering to data retention and deletion requirements.
• Ethical considerations: Psychometric assessments, if not used appropriately, can introduce biases into decision-making processes. HR professionals need to ensure that the collection and use of psychometric data is fair, transparent, and aligned with principles of fairness, equity, and non-discrimination.
• Employee privacy concerns: Employees and job applicants may have concerns about the collection and use of their psychometric data. HR professionals need to be transparent about the purpose of collecting psychometric data, provide clear explanations about how the data will be used, and address any privacy concerns raised by employees or job applicants.
• Additional training and expertise: HR professionals may need additional training and expertise to handle psychometric data in a compliant and ethical manner. This may include training to understand the validity and reliability of psychometrics and implementing additional data handling practices to protect the confidentiality and integrity of the data. HR professionals should seek legal or professional advice when necessary to ensure compliance and mitigate potential risks. 

Establishing the legal basis for processing psychometric data in accordance with Articles 6 and 9 of the UK GDPR

By default, processing special category data (including psychometric data) is prohibited under the UK GDPR. In order to do so, not only must a lawful basis be identified under Article 6, but a permitted exception must also be established under Article 9.

• Article 6 of the UK GDPR: Choosing the right legal basis for processing psychometric data can be a complex process. Consent, legitimate interest, and contractual necessity are potentially suitable bases, but the appropriate legal basis can vary depending on the specific circumstances so HR professionals may need to take expert legal advice.
• Article 9 of the UK GDPR: Choosing the correct permitted exception under Article 9 of the UK GDPR can be similarly challenging. Article 9 provides limited permitted exceptions including explicit consent, employment-related purposes, and reasons of substantial public interest. However, each exception has specific requirements that must be met before processing can occur. Furthermore, the interpretation and application of the exceptions may vary depending on the specific circumstances, and this increases the risk of non-compliance, which can result in significant legal and financial consequences.

Why explicit consent may not be a suitable permitted exception when processing psychometrics

The UK GDPR states that where the permitted exception ‘explicit consent’ is used, it must be freely given, specific, informed and unambiguous. Whilst this may seem like an obvious permitted exception to use in recruitment, employment, or development contexts, it may not be suitable in some everyday circumstances.

• Unequal bargaining power: In many cases, employees or job candidates may feel obliged to consent to psychometric testing as part of the recruitment, employment, and development process. They may perceive this as a requirement or demand from the employer, which can violate the requirement that consent is freely given.
• Discrimination: Psychometric tests have the potential to reveal sensitive personal information, which may lead to discrimination. Therefore, relying on consent alone may not be sufficient to ensure that the processing of this data is fair and non-discriminatory.
• Informed consent: Consent must be informed, meaning that individuals must have a clear understanding of what they are consenting to and its potential consequences. Psychometric tests and the way they are used to inform decisions can be complex and difficult to understand, which may impede individuals’ ability to give informed consent.
• Withdrawal of consent: Individuals have the right to withdraw their consent at any time, but this may not be practical in situations where the psychometric test has already been taken, and the results have been analysed and used in decision-making.

Therefore, it may be more appropriate to use other lawful bases, such as legitimate interest or contractual obligation, to process psychometrics for recruitment, employment, and development purposes. These bases require organisations to demonstrate that the processing of special category data is necessary for a specific purpose and that this purpose outweighs any potential risks to the individuals’ rights and freedoms.

We trust that this article has effectively highlighted the intricacies associated with managing psychometric data, offering valuable insights for contemplation. Moreover, it emphasises the benefits of relying on a reputable company like Edgecumbe, known for their expertise in navigating the complexities of handling sensitive psychometric data.

If you would like to talk to us about using psychometrics safely within your organisation, please do get in touch through the website or by emailing us at enquiries@edgecumbe.co.uk.

Or perhaps you might be interested in joining us at an upcoming seminar in conjunction with Clarke Wilmott where we will be offering insights into psychometric testing, including how they can:

• significantly reduce people costs;
• provide objective evidence to reduce bias and discrimination in hiring decisions;
• support employee engagement by encouraging self-development;
• be used safely under the UK GDPR.