Pre Employment Screening & Validation Services

1D Mereworth Business centre,
Hermitage Farm, Danns Lane,
Wateringbury, Kent. ME18 5LW

Tel: 01622 817580
Fax: 01622 813675

Secure Screening Logins

Applicant Login

Client Login

Everybody Talks: Data Protection and Social Media

Processing personal data under the Data Protection Act

In the UK, the DPA gives people rights in relation to their personal information and creates obligations on individuals and organisations that handle such data.

In particular, the DPA imposes obligations on “data controllers”, defined as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are to be processed”. Responsibilities of a data controller include taking reasonable steps to ensure the accuracy of personal data. This applies in particular to personal data which is presented as a “matter of fact”, for example a post recording someone’s date of birth. Expressions of opinion are not covered. Stricter requirements may apply for sensitive information such as an individual’s ethnic background, criminal records, and religious beliefs.

A business which operates an online forum or social media site to which people upload their personal data will generally be a data controller. Likewise, a business which uses social media for its business purposes (such as running brand-related Facebook pages) will also be deemed to be a data controller and will need to comply with the DPA in relation to personal data controlled by it. Facebook, in particular, has rules on running promotions through its site which specifically provide that people entering the promotion are providing their personal data to the promoter, not to Facebook (see here), which suggests that Facebook’s position is that brand-owners are the data controllers in respect of personal data uploaded to Facebook brand pages.
The “domestic purposes exemption”

The ICO guidance focuses on the “domestic purposes exemption”. The exemption essentially provides that, where an individual processes personal data for the purposes of their personal, family or household affairs, that act is not caught by the DPA. Individuals’ use of social networking sites for personal reasons is therefore not subject to the DPA. However, the ICO clearly states that the domestic purposes exemption only applies to individuals, so an organisation using social media can never rely on it. Likewise, an individual who processes personal data through social media to run a business as a sole trader is also not within the exemption and therefore is in principle subject to the DPA.

One key difficulty, as highlighted by the ICO in its guidance, is where social media are used for both domestic and non-domestic purposes. It gives the example of people in the public eye who use their social media accounts for personal, family and recreational purposes, and to promote their business interests by raising their public profile. In such cases, the ICO’s view is that the key issue is the purpose behind the processing. Processing personal data for business purposes, even by an individual, will not be within the domestic purposes exemption.
User-generated content

A particular difficulty arises where individuals using a social networking site provide personal data about third parties. Who is responsible for the accuracy of such personal data?

The ICO again considers that the purpose of the processing is key. Individuals who have posted personal data whilst acting in a personal capacity, no matter how unfair, derogatory or distressing the posts may be are exempted from the DPA. The ICO confirmed in its guidance that it will not consider complaints made against individuals in such a case.

However, where an organisation or an individual processes the inaccurate data for non-domestic purposes, even if that personal data originated from a third party user, that organisation or individual will have a duty to take reasonable steps to check the accuracy of any personal data that is posted on their site by third parties. What constitutes “reasonable steps” varies from case to case. Where there are high volumes of user-generated content, the guidance accepts that the website operator would not need to check every individual post. In that case, reasonable steps could include having a clear and prominent social media policy about acceptable and non-acceptable posts, having procedures for data subject to dispute the accuracy of post and request their removal, and responding to disputes about accuracy quickly.

However other scenarios, particularly where children are the primary users of the site, may require the data controller to monitor and edit posts submitted on its online forum actively. Given the changing data protection landscape and the case-by-case approach taken by the ICO, it is suggested that organisations which make use of social networking sites as part of their marketing activity consider whether they require legal advice at the outset on the potential scope of their obligations as a data controller.

Current News

Supreme Court rejects government appeal on criminal records scheme

Man acquitted of rape loses Supreme Court criminal check case

Criminal record check for Tier 2 UK migrants

New guidance for job applicants implemented in drug and alcohol workplace policy

Right to work checks: Extended criminal liabilities for employers

Criminal Records Checks "Arbitrary" and Unlawful

The Emergence of Continuous Screening: Moving Background Screening From Pre-hire Problem Identification to a Threat Management Tool that Helps to Mitigate Risk

FINRA’s New Background Investigation Rule

Woman Sentenced To Prison For Fingerprint Fraud

Everybody Talks: Data Protection and Social Media

DBS filtering on criminal record certificates

UK financial regulation overhauled

The City's new watchdogs: what you need to know

Employment law 2013: progress on reform

What changes to criminal record checks are coming into effect from September 2012?

Olympic security chaos: depth of G4S security crisis revealed

Yahoo CEO steps down after CV embarrassment

Get Out of My Face(book)! When Pre-Employment Screening Goes Too Far

Social Media use: Issues for employers

Employment Law reforms announced

Court of Appeal guidance on references

Anti-bribery and corruption laws - an international guide

Loss of 26,000 housing records highlights poor state of UK data protection

UK Bribery Act Guidance: Muddy[ing] the Waters

Fake identities makes couple thousands

CBI calls for lower taxes in an 'all-action' Budget

HSBC bats down talk of a move to Hong Kong as it 'prefers the City'

Police chief 'lied on CV'

Radical shake-up of the Criminal Record regime and vetting and barring scheme.

Extra Pay Disclosure for the Four Largest Banks - More to Follow for Other Large Banks?

Workplace Disputes and Employer’s Charter

Comprehensive Spending Review: Job cuts 'will create new North/South divide'

Employment Law changes on 1st October 2010

FSA-Changes to the Remuneration Code

Financial sector pay - the latest instalment

Employment Law under the New Coalition Government

Employment Changes from April 2010

Proposed Reduction of the Gender Pay Gap at European Level

Jefferson Hunt Limited joins International membership of NAPBS (National Association of Professional Background Screeners)

Fraud: honesty is the best policy

CV lies and interview technique | The Apprentice

Pre-employment screening as a critical risk-management tool

Exposed: the fakers behind the CV masks

Industry Quotes

“more than 7.5 million of Britain's 25.3 million working population have misled their potential employer while applying for a job.”

Mori .

Quote of the Week

“"Real difficulties can be overcome. It is only the imaginary ones that are unconquerable. " .”
Theodore N. Vail

Industry Sectors

Screening Levels

Criminal Records Bureau Logo which links to CRB site National Association of Professional Background Screeners
© Copyright 2017 JH Ltd   Tel: 01622 817580   Email:

Site Map     Privacy Policy     Terms & Conditions