With effect from today, all UK internet service providers (“ISP”) will be required to retain data relating to every email which is sent and every online telephone call which is made using their services. The data, which must be stored by ISPs for 12 months, will not include the content of the email or the call. It will however include the date, time, duration and routing of the online communication as well as information as to the internet subscriber or user. The obligation to retain this data is imposed under the Data Retention (EC Directive) Regulations 2009 (“the Regulations”). The regulations were enacted in order to bring into effect the provisions of the Data Retention EU Directive 2006/24/EC. The Directive was itself enacted in response to concerns that a lack of consistency of approach to data collection across Europe, particularly in the field of internet communications, was hampering the fight against crime, including international terrorism. The effect of the Regulations, which come into force today, is that the data retention principles which already apply to telecoms providers under the Data Retention (EC Directive) Regulations 2007 will now also apply to internet providers. As well as retaining the communications data, the internet service provider must afford access to particular data where they are required to do so by law (regulation 7). They must also abide by certain principles relating to the protection and security of the data (regulation 6).
Month: April 2009
Recruiting the iPod generation
In an article in today’s Financial Times, Benjamin Akande of Webster University talks about the “iPoders” – the generation born between 1982 and 2000. He describes a generation of technology addicts, using the internet as its first resort for information-gathering, and nurturing personal relationships through social networking and twittering. According to Akande, as it enters the workforce this cohort will be looking for organisations that share its appetite for technological innovation.
One issue that Akande doesn’t discuss is how iPoders view their personal privacy. How will they react if their technology-aware future employers treat Facebook and MySpace as a legitimate part of pre-recruitment due diligence? It’s often suggested that today’s 20-somethings are deeply relaxed about information privacy. A more realistic view may be that, as early adopters of social networking technology, they are learning the hard way about the implications of putting personal information online. In 2007, Oxford University students were outraged when photographs on Facebook were used in order to crack down on post-exam celebrations.
At the same time, employers need to be cautious about googling their job applicants. For instance, interview panels know not to ask questions about any plans for starting a family. But what if one of the interviewers finds out information of this kind, from his online researches into the candidates? Unless the information is wholly disregarded, there is an obvious risk of a discrimination claim if the candidate is rejected.
A suitable case for recruitment
Information law overlaps with employment law in two main ways, in relation to employment vetting and employment monitoring. Broadly speaking vetting is about the enquiries that an employer can make before recruitment, and monitoring is about checking on the performance and behavior of existing employees.
The legal framework for employment vetting is changing radically, as the Safeguarding Vulnerable Groups Act 2006 is brought into force. The Act implements the Bichard Report, which followed an inquiry into the notorious 2002 Soham murders. It establishes a new vetting and barring scheme for those working with children or vulnerable adults, to be operated by a statutory body called the Independent Safeguarding Authority (ISA).
With effect from 20th January 2009, the ISA was given responsibility for decision-making under the 3 existing employment barring lists: the education list, (popularly known as “List 99”), the PoCA list (for those working with children) and the PoVa list (for those working with vulnerable adults). As from 12th October 2009 these 3 lists will be replaced by two new lists introduced by section 2 of the 2006 Act and maintained by the ISA – the children’s barred list and the adults’ barred list. Employers, social services and professional regulators will have a duty to share information with the ISA. From July 2010, new entrants to roles working with vulnerable groups and those switching jobs within the sector will be able to register with the ISA, and employers will be able to check registration status online. The legal requirement for new entrants and those moving jobs to register with the ISA, and for employers to check on their status, will come into force by November 2010. The intention is to bring the whole of the existing workforce into the scheme by 2015.
I will be delivering a paper about employment vetting at the Local Government Group conference on 29th April, and the paper will be available on 11KBW’s website after the conference. For consideration of whether the existing PoVA list is compatible with articles 6 and 8 of the European Convention on Human Rights, see R (ota Wright) v Secretary of State [2009] UKHL 3. For the timetable for implementing the 2006 Act, see here and here.