GDPR for HR | AI in recruitment, EU employee transparency legislation, data privacy legislation in the US and more
Published on 5th Sep 2022
Welcome to this third edition of our GDPR for HR newsletter - bringing you a snapshot of developments, cases and insights relating to privacy in the workplace
Deciphering data: our monthly hot topic
Using AI in recruitment: possible discrimination risks
The Information Commissioner’s Office (ICO) has announced plans to investigate the potential risks of discrimination from employer use of artificial intelligence (AI) in recruitment. Their concern is that using AI could introduce bias into the recruitment process, particularly in relation to neurodiverse employees and/or ethnic minorities.
People analytics software is increasingly being used in recruitment as part of a trend towards HR becoming more data-driven. In theory, data analysis could be used to optimise recruitment by reducing the time to hire and increasing recruitment quality through minimising unconscious bias. However, recently, there have been concerns that some AI recruitment tools have actually increased discrimination against ethnic minorities, as well as neurodivergent groups. This is due to the use of speech and writing patterns used in these tools, which can amplify the human biases of those designing the software. This is of particular concern where recruitment software is used to "sift" recruitment applications as this could lead to diverse applicants being unfairly disregarded at early stages of the application process. Some companies have recently backtracked on implementation of AI recruitment tools as they uncovered evidence that the software was favouring certain demographics.
We expect to see some updated ICO guidance on this topic to assist employers in implementing AI recruitment software successfully and in a manner that ensures people and their data are treated fairly. Ahead of this guidance, employers are encouraged to do their due diligence before implementing any third party AI recruitment software to fully understand any discrimination risks. It is also important that HR teams are open with candidates about how the technology is being used, to reduce the risk of negative backlash.
In the news
EU Transparency Act
The EU has recently introduced the Directive on transparent and predictable working conditions (also known as the EU Transparency Act).
The Directive has introduced a right for new and current employees to receive certain terms of their employment including details of any automated decision making (ADM) and information ahead of any international postings. The Directive was due to be implemented into domestic law by EU Member States before 1 August 2022. Although not all Member States have met this deadline (for example, France and Spain), we can expect to see implementation across the EU over the next few months.
Employers will be required to communicate to their employees "the essential elements and conditions of the employment relationship, as well as the relevant protections". This means that employers can no longer make a generic reference to collective bargaining agreements. The kind of information that must be provided includes all types of remuneration (as well as the frequency of payment), the duration and any conditions in respect of probation, and any internal policies in respect of overtime. This information must be provided to all new hires and to any existing hires within 60 days of request.
Employers are also required to inform employees of any ADM or monitoring systems utilised by the company in respect of its employees (for example, in recruitment, performance assessment or management processes). Employees can also request certain information in respect of these automated systems (such as the purpose of the system, how the system operates and the main data categories used to program the system).
Where an employee is to be posted to a different country as part of their employment, the Directive also places an obligation on employers to provide them with information such as the currency in which they will be paid, any conditions governing repatriation and the expected duration of the placement.
Osborne Clarke round-up
The American Data Privacy and Protection Act: how does it compare to the GDPR?
The US could see its first federal privacy legislation this year if the American Data Privacy and Protection Act (ADPPA) is passed in its current form. To date, privacy legislation in the US has only been passed at state level (in California, Colorado, Connecticut, Utah, and Virginia) and has primarily been focused on data security rather than the rights of individuals in respect of their data.
The ADPPA would introduce additional rights for individuals in the same way the GDPR has in the EU. In a recent Insight, Osborne Clarke reviewed and analysed the ADPPA and compared it with the GDPR to illustrate where it might be possible to leverage existing GDPR compliance documentation and procedures and where additional changes may be required.
There are many similarities between the ADPPA and GDPR regimes. In particular, the ADPPA applies to "covered data", which has significant cross-over with "personal data" under the GDPR, in that it applies to information that identifies (or could be linked with other information to identify) an individual. Individuals are also given rights to request access, correction and deletion of "covered data" in a similar manner to individual rights under the GDPR. "Sensitive covered data" is also given special status under the ADPPA comparable to the status of "special category data" under the GDPR.
However, there are some key difference between the ADPPA and GDPR regimes which may cause issues with implementing consistent privacy frameworks across businesses. For example, "individuals" under the ADPPA only covers US residents, meaning that individuals residing in the EU will not enjoy protection under the ADPPA when their data is processed. Under the ADPPA, companies in the same group are not considered "third parties" in the same way as they are under the GDPR. This could mean that data transfers within a corporate group are excluded from the requirements for transfers that would typically apply. Click here to download an in-depth analysis of the ADPPA and GDPR.
UK government proposes clamp down on use of DSARs as a litigation tactic
This recent article discusses the UK government's plan to reform the legal framework around Data Subject Access Requests (DSARs). These proposed changes would widen the scope for companies to refuse to respond to DSARs where they are "vexatious or excessive".
'Dipping into Data' box set and Autumn 2022 series
Our 'Dipping into Data' box set collects all of our most recent webinar sessions in one place so that you can revisit them, share them with your colleagues and watch the ones you have missed. The latest series covered a wide range of topics including diversity, inclusion and data; intellectual property rights; data privacy issues; contractual considerations; competition law; and sector specific regulation.
In addition, the sessions for our autumn 2022 series have recently been released. Details of the upcoming sessions are listed below along with links to register to attend.
- Updates from the ICO DPPC
- The Data Protection and Digital Information Bill
- Transferring personal data out of the UK
- Competition and data sharing