Employers who check the social media profiles of current or prospective staff may be in breach of EU law, according to the Article 29 Working Party (WP29).
Given the amount of information that people share on social media, it’s easy to see why employers are keen to check on job applicants or staff – particularly as some of these platforms encourage users to list their place of work. However, guidance from the WP29 says this is an invasion of privacy.
The WP29, which is comprised of representatives from each EU member state, doesn’t have the power to enact law, but because it polices the implementation of EU law, its guidance is influential.
These guidelines could have huge significance on the way companies hire employees. A 2016 CareerBuilder survey, which asked 2,300 hiring managers and HR professionals about their use of social media ‘snooping’, found that:
- 70% of employers use social media sites to screen potential candidates
- 51% use social media to research current employees
- 54% have not hired a candidate based on their social media profile
- 57% are less likely to interview a candidate they can’t find online
But the WP29 doesn’t stop employers from conducting social media searches on individuals altogether. Rather, the guidelines say that employers need a “legal ground” to perform a check. The definition of these grounds varies from country to country – although, as of May 2018, they will be unified under the EU General Data Protection Regulation (GDPR). In all cases, any data collected from a search must be necessary and “relevant to the performance of the job”.
This means that an employer must be looking for something specific when looking up an individual, rather than simply searching out of curiosity. For instance, employers would be permitted to research an individual if it came to their attention that they had posted confidential company information on social media or were making derogatory comments about the company or any of its staff.
If, in doing this, the employer came across additional information that they weren’t specifically looking for, that information should be ignored.
The guidelines acknowledge the argument that most information posted on social media is in the public domain, but it states: “Employees should not assume that merely because an individual’s social media profile is publicly available they are then allowed to process those data for their own purposes.”
The WP29 adds that before prospective employees submit a job application, the company must tell the applicant if they plan to check their social media platforms, and employers cannot force employees to accept friend or connection requests.
Further changes coming
Organisations will face widespread changes to the way they process data when the GDPR takes effect on 25 May 2018. The Regulation, which affects any organisation that processes EU residents’ personal data, introduces new requirements and strengthens existing ones.
These requirements include greater freedom for data subjects, including the right to access any information that data controllers hold on them and the right to request that information related to them be removed.
With the compliance deadline approaching, organisations and their employees need to be prepared for the change. You can gain a comprehensive introduction to the GDPR with our one-day Certified EU General Data Protection Regulation Foundation (GDPR) Training Course.
Delivered by an experienced data protection practitioner, this training session is built on the foundations of our knowledge of data privacy laws and information security standards such as ISO 27001.