SMCR, GDPR, DPA2018 & DPIAs

Life ambition achieved! A document title with FOUR acronyms which probably mean little to most people!!!

A recent post on a Privacy forum asked about the dilemma of complying with both data protection legislation (GDPR, Data Protection Act 2018) and the Senior Managers & Certification Regime (SMCR).

The company concerned needed to balance the fitness & proprietary checks under SMCR with the need to document a lawful basis under GDPR and the Data Protection Act.

They planned to carry out DBS and credit checks, employment and business references, qualification checks, FCA register checks etc but was also looking at social media checks and wanted to make sure it was all documented appropriately.

Instinctively, they were working from the starting point that the SMCR regime makes it all 'legal obligation' but wanted a sense check.

How do references fit under GDPR?

In this instance, checking/referencing done in relation to something directly mentioned in the Form A would put some checks and referencing under a ‘legal obligation’ - those required to comply with the law.

So which of these checks are required?

The FCA handbook says a firm should:

ask the candidate to apply for a DBS and that the firm should have sight of it but that this does not need to be sent to them.
Conduct a search of the Financial Services Register (but does not mention that a copy of that search needs to be retained).
consider whether it should take additional steps to verify any information contained in an application ... or that it takes into account in its assessment
Image
Unfortunately the FCA don’t explicitly say the firm must obtain a credit check and employment/business references.

The Firm declaration requires the firm to confirm
on the basis of due and diligent enquiry that the candidate is a fit and proper person to perform the controlled function(s) listed in section 3. The firm also believes, on the basis of due and diligent enquiry, that the candidate is competent to fulfil the duties required in the performance of such function(s).
i.e. the FCA requires the firm to carry out appropriate checks but does not expand on what they may be.

Further, the FCA only reserves the right to verify the information provdied by the candidate and the firm in their application – credit checks etc may be required but do not have to be made available to the FCA on application.

So what is the lawful basis under GDPR?

The FCA will say it is up to the firm to decide what is ‘due and diligent’ taking into account common practice etc.

To comply with GDPR, the ICO will say that anything the firm does needs to have a lawful basis and be necessary and proportionate.

Social media checks are very problematic under GDPR – do you just stick to publicly available profile information or risk being accused of snooping by looking at private profiles?

Who decides what sort of social media content impinges someone’s fitness and proprietary to perform a role? Are all roles the same in this respect?

Even putting aside social media checks - an existing employee can’t freely consent to checks like these but a prospective employee possibly can.

This means it is likely that more than one lawful basis of processing will need to be established and documented i.e. some checks will be under a legal obligation but others will need to have a different one (almost certainly not consent).

Most could potentially be argued to come under
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
i.e. the employment contract or even
processing is necessary for the performance of a task carried out in the public interest
Public interest is a big driver of the SMCR and it is law the firm (the controller) is subject to but Part 2 – Chapter 2 – Section 8 of the DPA 2018 seems to rule that out.

Another option is legitimate interest – the firm’s legitimate interest in meeting its regulatory obligations and avoiding sanction, protecting its reputation with the public, the legitimate interest pursued by the firm and the FCA in protecting the public from fraudulent or criminal behaviour, dishonest or exploitative business practices etc.

This may be possible after a Legitimate Interest Assessment (LIA) which shows the steps being taken are necessary and proportionate to the interests pursued and not likely to be completely unexpected on the part of the data subject.

Prime candidate for a documented DPIA including consultation with staff, candidates, the FCA and the ICO.

Print   Email

Connect

Stay In Touch With Us

Subscribe to our news letter to get the latest news from Fidabona