This blog was written by Johannah Palmer, Edgecumbe’s Office Manager, Data Protection Officer, Information Security Administrator and Service Manager for the Doctor 360 team.
After five years of working with GDPR, we appreciate how difficult it is to navigate this legislation, particularly for those using psychometrics for recruitment, employment and development purposes. We also recognise that the penalties for failure to comply with UK GDPR are serious and that this creates anxieties for those responsible for collecting and using this kind of data. We are therefore planning a series of blogs on the topic, which we hope will help HR professionals to navigate their responsibilities safely and effectively. In our first blog, we set out the issues to bear in mind whenever you are thinking about using psychometrics – we will explore each of these in greater depth in future blogs.
Understand what counts as special category data
The UK GDPR requires that all identifiable personal data is handled in a manner which properly protects the rights and freedoms of data subjects. It recognises that some kinds of personal data are more sensitive than others and creates additional safeguards around the use of more sensitive types of data, called special category data. Special category data includes information about an individual’s race or ethnicity, political opinions, religious beliefs, trade union membership, genetics, biometrics, health, and sex life/sexual orientation. Under the current Data Protection Directive, legislators, judges and data protection authorities have determined that data pertaining to the health status of a data subject is much broader than the term ‘medical’ and includes information about a person’s intellectual and emotional capacity. For this reason, psychometric data is regarded as health data and is subject to the additional safeguards which apply to all special category data.
Identify the legal basis for processing special category data
The UK GDPR states that processing special category data is prohibited and may only be processed where there is a permitted exception to do so. This can make it tricky for HR professionals using psychometrics for recruitment, employment and development, as it is not a straightforward matter to identify a suitable permitted exception from those available which are:
- explicit consent;
- employment, social security and social protection;
- vital interests;
- not-for-profit bodies;
- manifestly made public;
- legal claims or judicial acts;
- substantial public interest;
- health or social care;
- public health; and
- archiving, research and statistics.
Ensure data security
Special category data is highly sensitive, and as such, must be kept secure. This means ensuring that access is restricted to only those who need it for legitimate purposes and that, where possible, it is stored in such a way that it is impossible to identify the data subject in the event of a breach of security, and that the data is deleted once it is no longer needed. It may not be enough to have put appropriate policies and procedures in place – you may also need to be able to demonstrate that you have tested your processes to identify and mitigate risks in your security
Data subjects have a right under UK GDPR to know what data you hold about them, how you are processing it, and for what purposes. You must provide individuals with access to their data and explain to them how they can exercise their data protection rights. You therefore need to be transparent about how you are processing personal data and may need to provide extra information about special category data.
Consider the impact on individuals and your responsibilities as Data Controller
The core purpose of UK GDPR is to protect the rights and freedoms of data subjects. The primary responsibility for adhering to its requirements falls to the Data Controller (the organisation which determines the purpose and means of processing). Psychometric testing can potentially have significant consequences for job candidates and employees. HR professionals must, therefore, consider the potential impact of testing and ensure that they are not discriminating against any protected groups.
By handling each of these topics effectively, HR professionals can continue to use psychometric data to support recruitment, employment and development activities in a way that is compliant with UK GDPR and protects the rights of job candidates and employees.
Over our next few blogs, we will explore each of these topics in more detail and provide guidance on how to handle psychometric data safely and effectively:
- Psychometrics as special category health data: the consequences for HR professionals.
- Establishing the legal basis for processing psychometric data – why explicit consent is usually not a suitable lawful basis when processing psychometrics.
- Edgecumbe’s approach to data security – practical considerations for HR professionals and questions to ask your suppliers.
- Data Controllers, Joint Data Controllers and Data Processors – using the guidance from EDPB on essential and non-essential means of processing to determine your responsibilities and those of your data processor.
- Profiling and automated decision making – what are the rules and what are the risks.
- Data security deeper dive – pseudonymisation, protection in transit, deletion challenges and more.
Importantly, and to ensure that your data protection processes are correct and legally compliant, we strongly advise that your candidate and employee privacy notices, along with your data protection policies, are kept under regular review.