In reply to Matthew:

"Should consider" to my mind means that there should be a written record - probably a letter on file written by the Academy CEO or Head Teacher - that sets out the school's position as to whether or not they consider an online search to be an essential part of the selection process or not.

Further, "online search" is a very broad term. It's one thing to Google someone (I have a very Googlable full name, as I am literally the only person in the world with my name and you would quickly discover my dirty secret as the author of a series of extremely geeky science fiction wargames). But crawling through someone's Twitter history to see if they ever "liked" something dodgy is another level of intrusion and, whilst I would definitely recommend this for some roles, it would be overkill in many others.

In reply to David Perry:

Of course, David. But in an interview, the candidate has a lot of control over how they are perceived and the interview process - especially in a school or other public institution - is very open to close scrutiny if there is a suggestion of unlawful discrimination. The conduct of a social media screening is not so open nor so easy to curate.

If you know you're going to be screened, you can enhance your privacy settings and delete or hide old content, but many of us have been digital natives since the beginning. But is it fair and reasonable to expect people to do this? If I made a stupid tweet fifteen years ago, should that be used against me in a job appointment? Of course, if that's an appointment to the Head of MI5 then the answer is probably "yes, yes it should". But if it's an appointment to a TA position at Little Whistling Church of England Primary School, the answer is far more likely to be "no".

I have read the 'Keeping Children Safe in Education 2023' guidelines - I cannot see in there where it recommends that social media screening is recommended at all, let alone as a 'must' or 'should' step.

Robey has correctly identified the issue with potential discrimination, and you should ask yourselves what business is it of the organisation what any potential employee posts on their social media. Is what you are proposing likely to be deemed a reasonable and proportionate activity to achieve a legitimate aim?

As a data protection practitioner, I am often asked to guide and advise organisations on these kinds of questions, and so with my hybrid HR and data protection hat on I would challenge the organisation thus:

• why is this deemed a necessary step?
  • has the organisation carried out a data protection impact assessment for this action? If not, how will they justify their actions if challenged by any party, including the Information Commissioner's Office?
  • what issue is this attempting to address / resolve? Do you have historical evidence that this is an issue you are trying to address with this action?
  • is this a necessary step to meet a legal obligation? Can you show that this is the case, in the event that it is challenged in an employment tribunal or civil litigation procedure?
  • what will the likely impacts be on the individual as a result of this action? How will the organisation ensure data minimisation principles are met?
  • does the organisation have clear policies, guidelines and privacy statements for the impacted parties about their proposed screening, the necessity and justifications or exemptions in law (UK GDPR and the DPA 2018 Schedules require this), onward uses and potential effects or consequences as a result of the actions (such as sharing internally with decision makers, with external parties or authorities, an application rejection, etc.)?
  • who will carry out this action? What are their credentials and prior training in regard to data protection law and appropriate data handling? Can you evidence this as part of your risk management and assurance planning?
  • how long will the information gained as a result of this action be retained? How, when, and based on what criteria will the information be destroyed? What assurances can the organisation provide for this?
  • who will have 'access' (i.e. knowledge of) any information gathered from this action? Is this restricted according to any organisational information hierarchy procedures?
  • where will any information gained from this action be stored? How will it be secured and kept safe from unauthorised access, harm, alternation, or other definitions of a data breach?
  • is the organisation insured for this action, and any potential consequences that may result from it?
  • has the organisation sought specialist or legal advice before carrying out this action?

These are all steps that the Information Commissioner would expect of any organisation looking to carry out privacy-intrusive processing of personal or special category data for employment purposes. Remember that the first principle of data protection law is that all data processing must be fair, lawful and transparent.  And all processing must be deemed necessary, and justified in law according to a narrow list of reasons.

If your organisation is able to answer all of those to the satisfaction of the law, then I say crack on - but if the organisation can't meet these rigorous questions, I'd be careful.  There are enough examples of ICO enforcement decisions and action, as well as tribunal case law involving social media intrusion, that any organisation should be wary of overstepping the mark. 

Kindest regards,

Kim

In reply to Robey:

The thing is that no one would stick their head above the parapet and say "we have considered and decided this isn't necessary". With all things safeguarding those in charge will add additional layers, not take them away. At least in schools we do this as a living so we know what we're doing.

It's far worse in voluntary organisations. I am a Cadet Force Adult Volunteer and our hierarchy have put in place things that would be considered way OTT in education. A big one is the DBS Update Service which was designed in part for people with multiple volunteering with regulated activity involved. None of the organisations with which I have volunteered (major nationally regulated sport, two youth development charities) will accept an Update Service DBS as "legally we have to have our own" or "it's not as thorough as a proper one".

Sorry, a bit OT there. Ultimately we have little input on the provisions set out in KCSiE; they are there for a very good reason; safeguarding trumps everything; and we just get on with it.

In reply to Kim:

The online search is in para 221, Kim, I copied & pasted directly from the document! It reads:

221. In addition, as part of the shortlisting process schools and colleges should
consider carrying out an online search as part of their due diligence on the shortlisted
candidates. This may help identify any incidents or issues that have happened, and are
publicly available online, which the school or college might want to explore with the
applicant at interview. Schools and colleges should inform shortlisted candidates that
online searches may be done as part of due diligence checks. See Part two – Legislation
and the Law for information on data protection and UK GDPR.

The paragraph on GDPR referred to is this one:

94. It is important that governing bodies and proprietors are aware that among other
obligations, the Data Protection Act 2018, and the UK General Data Protection
Regulation (UK GDPR) place duties on organisations and individuals to process personal
information fairly and lawfully and to keep the information they hold safe and secure. See
ICO guidance ‘For Organisations’ which includes information about your obligations and
how to comply, including protecting personal information, and providing access to official
information.

I would suggest that a school could rely on the legal bases for processing of legal obligation, public task or legitimate interest to check people's online profile. Must admit, as it's something schools just do, about having a DPIA for the online searches. However all that is recorded at my current school is that I have done the search and the date it was done.

In reply to Matthew:

The guidance from the ISI (the independent sector equivalent to Ofsted) in Sept 2022 around the way that we would be inspected on the back of this new KCSIE requirement said:
"When looking at individual employment files, inspectors should check whether schools considered carrying out online searches in accordance with KCSIE from 1 Sep 2022. Where such searches were carried out, the consideration will be evident. If they were not carried out, schools will need to satisfy inspectors that due consideration took place. KCSIE uses the term 'should' when the advice set out should be followed unless there is good reason not to. If online searches did not take place, inspectors will consider all the circumstances in order to decide whether there was compliance with KCSIE and therefore paragraph 7b of the Standards."

As ever, safeguarding trumps all other concerns. We make it very clear in our recruitment packs, invitations to interview etc that recruitment checks will be done - but as Robey notes, the phrase "online search" is very different to a social media vetting process. We work on a light touch basis, in line with the intention of the legislation (which as I say was as a back up to other checks to ensure that any criminal conviction that was somehow missed through the formal processes but available online could be picked up). Our checks are carried out by someone not involved in the interviews, and they simply pass on any information that might need to be picked up - usually to me, as I do a safeguarding interview with each candidate.

In reply to Nina Waters:

Pretty similar here, Nina. We're independent & I was in an interim role at an independent school just prior to this requirement coming in with a foray into the maintained sector before this job.

While I'm Safer Recruitment trained I haven't yet conducted an interview in this role so I do the online checks. As it happens most of the teachers I've done checks on don't even use their full or known names on Facebook & the like!

In reply to Matthew:

I do have the document, as I am a tutor myself so am subject to similar checks on an annual basis. However, as Robey and Nina have pointed out, an online search is not the same at all as a social media vetting process.

I'm concerned that the data protection legislative requirements are potentially being oversimplified here, and passed over in favour of safeguarding legislation - forgive me if that's not the case, it just seems there is a lot of misinterpretation within the HR profession about how data protection law intersects with people management functions, and HR / employment data processing.

I must respectfully disagree that safeguarding law trumps everything else - there are MoUs to guide and dictate the balance when laws create disparities, friction, or discrepancies. Therefore, it is incumbent on an organisation to investigate the boundaries, to find the best way forward with multiple legal requirements in mind, not opt for the one they feel is most important or that appears, to them, to carry the most immediate or impactful risk. A DPIA will help do this most effectively, if done right.

The guidance issued for the KCSiE is that where 'should' is used, organisations follow this, unless there is a good reason not to. The very same guidance is keen to point out legislation on equality, discrimination and human rights, and it should be emphasised here that these rights apply to staff (and potential hires) as well as to students, parents and guardians. Section 94 is, from a data protection perspective, woefully inadequate, and nowhere in the document is there any kind of solid guidance on how to meet the challenge of compliance with data protection legislation. That is quite poor, and even more reason to seek specialist or legal guidance, since the KCSiE has very little to offer in that respect.

Leaning on 'should' in the guidance as meeting the tall bar of "necessary for compliance with a legal obligation to which the controller is subject" is a bit of a stretch, and is not enough to justify the activity of scanning candidate social media profiles, not by a long shot; the word 'must' would indicate the legal obligation, whereas 'should' does not.  "Necessary for the performance of a task carried out in the public interest" is nearer the mark (see here and also here), but this brings into play the need to review and rely on DPA Schedules for public interest processing as well as employment related and criminal record data processing. "Legitimate interests" to justify processing does not stand up without an Article 9 justification as well, and is generally not acceptable if there is more than a minimal or limited privacy impact on an individual - a legitimate interest assessment would help here.

It is a common myth that information in the public domain is up for grabs for whatever use the viewer might want to put it to - this is not the case, and there are case law decisions that uphold the rights to privacy for social media profiles, and even 'controversial' posts.  Since social media will most likely contain special category data, there is the requirement for at least one Article 9 justification as well as an Article 6 justification. It is also worth pointing out that using a lawful basis to try to justify any action that is at odds with the basic principles and data subject rights of the UK GDPR is not a valid justification at all, which then means a breach of the first principle of the UK GDPR (that all data be processed fairly, lawfully and transparently).

Similarly, seeking explicit consent requires that consent to be well-informed, which is impossible without most of the considerations on my previous checklist, and so any such consent would be invalid.  Remember, the test for consent under UK GDPR is that it gives genuine choice and control to the individual, is as easy to withdraw as it was to give and must not be a precondition of service, is not tied in with terms and conditions (i.e. of employment), and that there be no imbalance of power in the relationship between the parties. If the social media screening violates the individuals' rights, or was not clearly and transparently articulated for use and impact, then any consent given is invalid, and the first UK GDPR principle is breached.

I cannot agree that searching someone's social media profiles will not be discriminatory or intrusive, or that isn't likely to be viewed as such by the regulators, in addition to being excessive.  Unless the organisation can show that this is a reasonable and proportionate means to achieving a legitimate aim (i.e. making the best hiring decisions and eliminating the risk of hiring unsafe people to work with children), and that on balance this is the best way to do this in light of all other options open to them, then it feels like a sledgehammer to crack a pine nut.  The adage "if you have nothing to hide, you have nothing to fear" is Orwellian and is not present in current privacy laws, or in the legal frameworks in place to protect privacy rights (i.e. the UK GDPR, the DPA 2018, Rehabilitation of Offenders Act, Equality Act, HRA, ECHR, concept of fairness in the ERA 1996, Investigatory Powers Act, etc.).

The point I made in my earlier reply is that if this is a step an organisation wants to make, there are preparatory and legally required assurances that need to be in place first, if they ever hope to be able to stand by their actions.  Of course, Giedre hasn't commented on any of that, so we can't assume either way about the current policies, planning, risk assessment or accountability steps already in place ahead of this practice being implemented in her organisation.

Ultimately her organisation can make any decision it likes about hiring, so long as they do so in a lawful, fair and non-discriminatory way - but if any decision is open to interpretation or challenge by a rejected candidate for suspected foul play or discrimination from a legislative or inherent rights perspective, my earlier checklist at least give a more robust fighting chance of defending such actions.

I hope this helps - it's a long reply, but having delivered a data protection and GDPR course for the CIPD only this morning, to a range of HR professionals, I feel quite strongly about correcting misconceptions when they arise.

In reply to Kim:

A fascinating response, Kim, thank you. I will need to digest properly later as up to eyeballs at the moment.

In reply to Kim:

I've worked in schools for 7 years and it still worries me that there is a mindset that safeguarding trumps all, including other laws/legislation like DP.

Three of our academies have been inspected since this was introduced to KCSIE, and not one has even mentioned the online checks, with one even referring to the two reference rule that went out years ago! The problem is that most inspectors have no idea about anything to do with HR practices, employment law or DP legislation.

We're actually holding back on the online checks as we're pushing for more guidance on what checks should take place for DP purposes e.g. full name, previous names, nick names/known as names, and is this alongside places lived, places of work, and then how far back do you go. It's an absolute minefield TBH.

In reply to Kim:

The two links a bit hidden in Kim's post are:

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/lawful-basis-for-processing/public-task/

and 

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/what-are-the-substantial-public-interest-conditions/

(Thanks, Kim).

In reply to Kimberly:

That's very interesting, Kimberly, thank you. KCSiE para 222 refers to references plural, and so I have always asked for two. Some school applications I've completed have asked for three!

If there is a change that only one reference needed I will save a lot of time, effort & phone bill chasing up those that are delayed...

In reply to Gemma:

The safer recruitment guidance in KCSIE only talks about identifying 'incidents and issues that have happened and are publicly available online'. Within my organisation, we ask the candidates during application for their details for various social media / online platforms and check them to make sure everything is as it should be, and where an account is completely private and locked down, we feel comfortable with the check completed as there is nothing concerning available to the public.