Lessons from the ODPC Decision in Complaint No. 0586 of 2023, Harrison Kisaka vs. Faulu Microfinance Bank Limited
On July 7th, 2023, the Office of the Data Protection Commissioner (ODPC) issued a landmark determination in Complaint No. 0586 of 2023, Harrison Kisaka (Kisaka) vs. Faulu Microfinance Bank Limited (Faulu).
The matter revolved around the rights of individuals in the employment recruitment process, specifically concerning background checks and access to personal data. This article explores the practical implications of the ODPC’s decision and its alignment with global best practices and regulatory standards.
The basis of the complaint was a job interview conducted by Faulu, where, after a series of assessments, Kisaka emerged as the appointed candidate for the role of Credit Quality Assurance & Compliance Officer.
However, the issuance of Mr. Kisaka’s formal employment offer was contingent upon the successful completion of comprehensive background checks, a process that typically involves thorough investigations into an individual’s history. These investigations often encompass scrutinizing an applicant’s previous employment records, contacting references, conducting criminal background checks, and verifying educational qualifications. In this case, the verifications conducted included authentication of the complainant’s academic certificates and vetting of his character and reputation.
Kisaka signed a consent form authorizing Faulu to run background checks on him. Notably, the consent form indicated that he could have a copy of the processed data as well as the source. The outcome of the pre-employment screening, as explained by Faulu, revealed adverse information on Kisaka’s character which prevented Faulu, in line with its policies and procedures, to extend an offer of employment to him and ultimately led to Faulu’s decision to rescind the employment offer. In particular, Faulu found out that Kisaka had failed to disclose an ongoing criminal case against him on conspiracy to defraud.
On receiving the notification for withdrawal of the offer which did not detail the particulars of the background checks, Kisaka requested Faulu to give him forms that contained his personal data which had been processed after he attended the interview, which Faulu refused to share, claiming that it was private information.
Kisaka filed a complaint with ODPC claiming “negative use of his personal data and discriminating him from accessing a job opportunity.” In his complaint, Kisaka sought to access the personal data that led to his disqualification from employment.
In determining the matter, the ODPC framed only one issue for determination; “Whether there was any infringement of the Complainant’s right as a data subject as provided in the Data Protection Act, 2019.”
This matter underscores the practical challenges and consequences associated with data privacy and background checks in the context of employment. We would like to highlight practical considerations that employers should consider in their recruitment process in compliance with the Constitution, the Data Protection Act and other related regulations.
1. Data contained in the background checks report amounts to personal data within the meaning proffered under Section 2 of the Data Protection Act, 2019.
Personal data is defined under Section 2 of the Data Protection Act, 2019 to mean any information relating to an identified or identifiable natural person (data subject). Section 26(b) of the Data Protection Act and Regulation 9 (1) of the Data Protection (General) Regulations 2021 grant a data subject the right to access their personal information in the custody of a data controller or processor.
2. Processing personal information corresponds with a duty to honour Data Subject’s absolute right to access information.
One of the key issues in this case was Kisaka’s right to access his personal data processed by Faulu, as provided under Section 2 of the Data Protection Act, 2019. Background checks typically encompass a range of data, such as criminal history, social media presence, employment history, and credit history. The ODPC found that this information constituted personal data, and the data subject, in this case, Kisaka, had the absolute right to access it. This ruling aligns with global data protection principles, emphasizing transparency and data subject rights.
The ODPC’s decision in Complaint No. 0586 of 2023 serves as a vital reminder that individuals have rights over their personal data, even in the context of employment background checks. Employers must strike a balance between their legitimate interests and the data subject’s rights, ensuring transparency, fairness, and compliance with data protection regulations. In a rapidly evolving landscape of data privacy, this case offers valuable insights and underscores the importance of upholding data subject rights and adopting best practices in employment recruitment. Employers need to carefully consider their obligations when handling personal data in the context of background checks. Key considerations include:
- Data Subject Rights: Employers must respect the rights of data subjects, including the right to access personal information.
- Consent: Employers should obtain clear and informed consent from job applicants before conducting background checks.
- Lawful Basis: Employers should establish a lawful basis for collecting and sharing personal information.
- Handling Adverse Information: Employers should outline in their policies how adverse findings from background checks may influence employment decisions. Transparency is crucial.
- Prior Notification: Candidates should be informed of any adverse information found during the background check and given an opportunity to respond.
- Policy and Procedure Implementation: To navigate these legal and ethical considerations effectively, employers are encouraged to institutionalize the requirement for background checks within their policy documents. An elaborate policy can outline clear procedures for handling both positive and adverse findings, taking into account the nature and significance of the information uncovered. Furthermore, such policies should detail the conditions under which background check results may influence employment decisions. The policies can clearly address the following issues;
- Review of Findings: Employers should have mechanisms in place to review both positive and adverse findings and determine their impact on employment decisions.
- Hiring Policy: A clear hiring policy should outline how background check results may influence hiring decisions, ensuring consistency and fairness.
- Disclosure and Authorization: Consent forms should specify the scope of background checks and their intended use in making employment-related decisions.
- Candidate Defense: Candidates should have the opportunity to defend themselves against adverse information uncovered during background checks.
- Employers should also have policies governing situations where they are the data sharers. Embracing global best practices in data sharing for background checks is essential for maintaining trust and ensuring compliance. In this situation, it is important for the employer to consider;
- Lawful Basis: Data sharing should always have a lawful basis, such as the necessity of the data for a legitimate purpose.
- Clear Consent: Data providers should obtain clear and informed consent from data subjects before sharing their information with third parties for background checks. The consent form should specify the purpose of sharing and the intended use of the data.
- Data Minimization: Share only the data necessary for the intended purpose, limiting the risk of over-disclosure.
- Secure Data Transfer: Employ secure channels and protocols when transferring data to third parties to protect against data breaches.
- Data Retention: Define clear data retention policies and delete data that is no longer necessary.
- Auditing and Accountability: Maintain records of data-sharing activities and establish accountability mechanisms.
- Establish robust data protection policies that clearly outline how data subjects’ rights will be upheld throughout the data-sharing process.
- Transparency: Data providers should be transparent about the type of information shared and the entities with whom it is shared. This transparency helps individuals understand the process and their rights.
- Data Accuracy: Providers should ensure that the information shared is accurate and up to date. Inaccurate data can lead to unfair decisions and potential legal consequences.
- Employers should be prepared to respond to Regulatory notices, providing relevant materials, evidence, mitigation measures, and details of their data protection policy.
- Failure to honour ODPC notices may result in enforcement actions, highlighting the need for compliance with data protection regulations.
The alignment of recruitment policies with broader data protection policies is a critical yet often overlooked aspect of organizational data management. Many organizations tend to neglect the HR function, despite it being a fundamental organ in the body of data protection. This case serves as a stark reminder that HR functions are not isolated entities but integral components of an organization’s data protection framework.
Training and awareness initiatives become paramount, as they ensure that every business function comprehends the organization’s data protection practices. Particularly, individuals who interact with data subjects directly, as they carry a heightened risk of inadvertently exposing the organization to compliance breaches.
This underscores the holistic nature of data protection, emphasizing the need for comprehensive audits of data flows and mapping to pinpoint every area where personal information is handled.
Furthermore, centralizing data subject requests under a dedicated Data Protection Officer (DPO) not only streamlines processes but also reinforces the organization’s commitment to safeguarding data subjects’ rights uniformly across all business functions. In essence, this case illuminates the interconnectedness of all business functions in the tapestry of data protection, reminding organizations that the strength of their data protection framework lies in its unity and coherence. Collaboration with data protection lawyers ensures that organizations can navigate the intricate web of data protection with confidence, ultimately safeguarding their reputation and adhering to legal obligations.
--
Read the original publication at TripleOKLaw.