Steps to GDPR Compliance: The Right to Be Forgotten
Post number 4/12 in HireRight's "Steps to GDPR Compliance" blog series examines the GDPR's "right to be forgotten," and what this means for businesses conducting background checks on their candidates or existing workforce.
Step 4 – The Right to Be Forgotten
What is the right to be forgotten?
Article 17 of the GDPR contains the right for data to be erased: otherwise known as the right to be forgotten. The principle behind this, as stated by the UK Information Commissioner’s Office (ICO), is to “enable an individual to request the deletion or removal of their personal data where there is no compelling reason for its continued processing”.
When does the right to be forgotten apply?
A data subject can exercise the right to be forgotten against the relevant data controller. This right is qualified under Article 17 of the GDPR, and may be exercised only in certain circumstances where:
The personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
The individual withdraws consent.
The individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
The personal data was unlawfully processed (i.e., otherwise in breach of the GDPR).
The personal data must be erased in order to comply with a legal obligation.
The personal data is processed in relation to the offer of information society services to a child.
When could the right to be forgotten arise in connection with employment background screening?
As part of background screening, hiring entities ask their background screening supplier (e.g., HireRight) to collect and verify the personal information of a candidate. That verifying information is then obtained by the screening company from a source(s): e.g., a referee, academic institution, government source or database. The background screening report that is prepared and contains the candidate’s information is then delivered to the hiring entity to evaluate in connection with their hiring decision. The candidate to which the report relates is able to make a subject access request (SAR) to obtain a copy of their background report from the prospective employer (please see blog 3 – “What are you looking at?” Will subject access rights become the vogue under the GDPR? ). Additionally, should that candidate believe that it is able under Article 17 of the GDPR, the candidate could make a request for certain data to be erased by the data controller.
Can a background screening supplier and its client comply with a right to be forgotten?
As noted above, there is a processing chain involved in background screening:
Hiring entity as data controller requests services to be provided to it by its screening supplier.
Screening supplier as data processor collects personal information from the candidate directly and/or verifying data sources.
Sources verify and provide related information pertaining to the candidate.
In the case of right to be forgotten, the data controller (i.e., hiring entity) must respond to and, if/as appropriate comply with, any SAR made, which may include instructing the screening supplier to destroy the candidate’s background report information. That said, while the hiring entity and – upon its instruction, the screening supplier – can agree to halt processing or delete a background report from their systems, they are not able to delete the candidate’s information residing with a third-party source who provided it to the screening supplier. So, a candidate may want to further identify the sources of such information, so that they can, if/when appropriate, contact them directly to discuss the candidate’s right to be forgotten. As such, a screening supplier and hiring entity can assist candidates in this regard by having in place procedures to assist candidates, upon their request, with identifying the source(s) that provided such information. The screening supplier can, e.g., then pass this information to the hiring entity, or to the candidate upon instruction from the hiring entity, to enable the candidate to contact the data source.
What does the right to be forgotten mean for background screening?
Whilst a candidate might intend to exercise the right to be forgotten with respect to the background report produced, the screening supplier and hiring entity can really only assist in supporting that process by making available the source details to the candidate.
Release Date: September 6, 2017
Caroline is a UK qualified lawyer with over 18 years’ experience and currently serves as HireRight’s Deputy General Counsel for the EMEA and APAC regions. When not “lawyering” or writing blogs, Caroline can be found striking yoga poses in remote locations such as Mongolia and Bhutan.