DATA PROTECTION COMPLIANCE REQUIREMENTS IN THE EMPLOYMENT PROCESS IN NIGERIA1
1. INTRODUCTION
In today's digital age, where technology plays a central role, protecting personal information has become a paramount concern for both individuals and organizations. Job applications is an area where this concern features prominently but is occasionally overlooked. Here, the intersection of personal data, employment decisions and legal obligations becomes highly significant. Employers, in their quest for streamlined and fast recruitment processes, increasingly turn to technology. The involvement of technology in the job application process brings forth data protection challenges that require careful attention. From the collection and processing of personal information to the safeguarding of applicants' privacy rights, employers find themselves navigating a complex landscape. This article aims to provide valuable insights and guidance to employers with respect to lawful basis for processing, principles guiding further processing and automated decision-making. It delves into the intricacies of managing the delicate balance between efficient recruitment practices and ensuring data protection measures. As technology continues to advance, understanding these issues is vital for creating a recruitment process that is not only effective but also ethically and legally sound.
2. THE FRAMEWORK
The recently enacted Nigeria Data Protection Act, 2023 (NDPA) and its attendant regulations2 will serve as the legal framework for this article. Several key terms pertinent to this discourse include automated decision-making, automated processing, data controllers, data subjects, further processing, personal data, and processing which require brief introductory explanation.
Automated decision-making refers to automated decisions entirely based on automated processing, without any human involvement.3 For example, if an employer uses an Applicant Tracking System (ATS) to screen job applicants and the ATS is configured to automatically accept or reject applications without human intervention, the employer is engaging in automated decision-making.
Automated processing is a processing operation that is performed technologically without any human intervention.4
Data controller is an entity that independently or in collaboration with others determines the purposes and methods for processing personal data.5 For instance, an employer who requests and collects applicants' personal data during the job application process is a data controller.
Data subject refers to anyone to whom personal data relates,6 including the applicants themselves.
Further processing is the processing of personal data for a purpose other than that for which it was initially collected.7
Personal data encompasses any information capable of directly or indirectly identifying an individual, either alone or in conjunction with other information.8 In the context of this discourse, job applicants' personal information such as their names, photographs, email addresses, or residential addresses, qualify as personal data since it can directly or indirectly identify the applicants.
Processing encompasses any operation or set of operations conducted on personal data, regardless of whether it involves automated procedures.9 This includes activities like data collection, utilization, organization, alteration, storage, and deletion. Therefore, even the act of collecting personal data, as simple as it seems, qualifies as data processing.
3. LAWFUL BASES FOR PROCESSING
To be lawful, personal data processing must be based on any of the six lawful bases provided by the NDPA.10 The applicable lawful bases in the context of job applications are consent of the data subject and legitimate interest of the data controller.
One might question the non-applicability of the contractual necessity basis, given the involvement of an employment contract. The contractual necessity basis has two arms. The first arm applies when the processing is necessary for the performance of a contract to which the data subject is a party. This presupposes that the data controller and the data subject have a subsisting contract between them. In the context of job applications, this is not the case. No contract exists between the applicants and the employer at the application phase. The second arm of the contractual necessity basis applies when the processing is necessary to take steps at the request of the data subject prior to entering into a contract. For this to apply, the data subject must be the one requesting the pre-contractual steps. In job applications, the employer is the one requesting the pre-contractual steps (requesting applications) before entering any contract of employment. Therefore, this arm is not applicable to job applications.
3.1 CONSENT OF THE DATA SUBJECT
Consent in data privacy is a term that may seem straightforward, yet it holds inherent complexity. According to the NDPA,11 consent is an indication that signifies a person's agreement to the processing of their own personal data or another individual's personal data, provided they have obtained permission from that other individual. It could be given orally, in writing or through a clear affirmative action.12 To be valid, it must be freely given, be specific, informed, and unambiguous.13 The data subject must also have not withdrawn consent. If consent is withdrawn, any further processing will be illegal, but processing done before withdrawal of consent remains lawful.14
Freely given consent implies that the data subject must have a genuine choice over the processing of their data. In ascertaining whether consent was freely given, the NDPA considers whether a service provided to the data subject depends on their consent to process personal data that is unnecessary for the service.15 In the context of employment applications, if an employer requires applicants to consent to processing information unrelated to the job application, and applicants agree out of fear of rejection, such consent is not freely given and runs afoul of the NDPA. For instance, if an employer requires an applicant to provide his BVN (information not needed for a job application) and the applicant provides it under pressure to avoid rejection of his application, the consent is not freely given.16 Therefore, employers must not make the processing of applications dependent on applicants consenting to processing of unnecessary data.
Consent being specific would entail that each consent granted should pertain to individualized processing activities.17 Employers can comply with this requirement by being granular when requesting for consent. Consent should not be bundled. Therefore, when an employer plans to use applicants' information for purposes such as customized advertising or newsletter distribution, it is imperative to obtain consent from the applicants for each of these processing activities. This can be accomplished by configuring its consent request in a manner that allows the applicant to consent to each of those activities, ideally by ticking a checkbox.
Consent is also required to be informed, which necessitates the provision of comprehensive information to the data subject about the processing, including the purpose of the processing, the controller's identity, the processing activities, and the right to withdraw consent.18 Thus, employers should prioritize transparency by providing applicants with information about their data's intended use, their right to withdraw consent, and other pertinent details.19
Consent being unambiguous necessitates absolute clarity and indisputability, leaving no room for uncertainty regarding whether the data subject has indeed provided consent. To this end, silence and pre-ticked boxes are prohibited as acceptable forms of consent.20 This prohibition stems from the fact that remaining silent or failing to actively opt-out (untick pre-ticked boxes) does not constitute a “clear affirmative action” on the part of the data subject. Consequently, an employer must employ consent-gathering methods that clearly demonstrate affirmative action, such as requiring applicants to actively tick a box or to click on a 'submit' (opt-in) button to signify their consent.
Finally, the NDPA places the responsibility on the data controller to prove that they have obtained consent from the data subject.21 This highlights the importance of meticulous record-keeping by employers. An employer must maintain thorough and reliable documentation to demonstrate that applicants have indeed given their consent, ensuring they can readily provide evidence of consent if and when the need arises.
3.2 LEGITIMATE INTERESTS OF THE DATA CONTROLLER
This basis is applicable where the data controller intends to process personal data for its own interests or the interests of a third party to whom the data is disclosed.22 This necessitates the data controller pinpointing the legitimate interest(s) underpinning the intended processing of personal data. For instance, an employer seeking job applications naturally has legitimate interests in evaluating whether applicants meet the required qualifications, conducting background checks and ensuring they fit the job criteria. To determine if the interest pursued by the data controller is legitimate, the NDPA specifies that it must not override the fundamental rights, freedoms, and interests of the individual, it must not conflict with other lawful bases except consent and the data subject must reasonably expect their data to be processed in the intended manner.23 Therefore, employers relying on legitimate interest must conduct what has been termed “Legitimate Interest Assessment (LIA)” to confirm that their interests align with the requirements of the NDPA. If the assessment shows that the interests are not legitimate, the employer should consider relying on consent as the lawful basis.
Applying this principle to the identified legitimate interests above involves asking specific questions like does processing an applicant's personal information to assess qualifications and conduct background checks violate the applicant's fundamental rights and freedoms? Does this interest conflict with other lawful bases apart from consent? Would the applicant reasonably anticipate their personal information being used for these purposes? The answers to the first two questions are negative, while the answer to the last question is affirmative. Consequently, an employer processing applicant data for these interests can rely on legitimate interest as the lawful basis for processing.
However, if the employer intends to use the data for activities like sending newsletters or personalized advertisements, it is evident that legitimate interest as the lawful basis might not be suitable. This is because, among other reasons, an applicant would not reasonably expect the data they provided for a job application to be used for such unrelated purposes.
4. PROVISION OF INFORMATION
In line with the transparency principle, a data controller is obligated to furnish a data subject with specific information prior to the collection of their personal data directly from them. The information includes the identity, residence or place of business of, and means of communication with the data controller and its representatives, where necessary, specific lawful basis of processing under section 25(1) or 30(1) of the NDPA, and the purposes of the processing for which the personal data are intended. Others are the existence of automated decision-making, including profiling, the significance and envisaged consequences of such processing for the data subject, and the right to object to and challenge such processing.24 This information must be contained in the data controller's privacy policy.25
Thus, an employer must ensure its privacy policy captures this required information. The objective behind providing this information is to ensure that applicants are aware of how their data will be processed before giving consent (in cases where processing is consent-based) or before the processing begins (when processing is not consent-based). Hence, it is advisable to prominently display the privacy policy to applicants before they provide their personal data. For employers using platforms like "Google Form" to collect applicants' information, complying with this requirement may be challenging, if not impossible. This is because the privacy policy provided on Google Form is Google's and not the employer's, and this violates the NDPA. To rectify this, it is recommended that employers create their own forms containing their privacy policy, as stipulated by the NDPA.
Nonetheless, there is an exception to the requirement of providing information, applicable when the data subject has already been provided with the necessary information, or providing such information is impossible or would involve a disproportionate effort or expense.26 However, this exception applies only when the data controller collects personal data from a source other than the data subject.27 In the context of job applications, where applicants usually provide their data directly, this exception is unlikely to be relevant. Even if someone else provides the applicant's information on their behalf, it is typically done with the applicant's knowledge and consent.
5. FURTHER PROCESSING
So far, we have established that a data controller is obligated to inform data subjects about the intended purpose of processing their data. Furthermore, in line with the purpose limitation principle, a data controller must not process personal data in a way that is incompatible with the purposes stated prior to data collection.28 This underscores the importance of providing the data subject with all the intended processing purposes. However, recognizing the challenge of determining all processing purposes at the beginning, the NDPA allows further processing for purposes not initially indicated, provided that the further processing purpose is not incompatible with the original purpose stated before data collection.29 To ascertain the compatibility or otherwise of the further processing purpose, the NDPA30 provides that the data controller should consider the relationship between the initial purpose and the further processing purpose, the nature of the personal data concerned, the consequences of further processing, how the data has been collected and the existence of appropriate safeguards.31
In the context of job applications, if an employer intends to engage in further processing, it must evaluate the further processing purposes against the provided guidelines. If the evaluation reveals that the further processing purposes are incompatible with the initial purpose, the employer may only proceed if it informs the applicants about the further processing purposes and obtains applicants' consent.32 For example, considering the relationship between the initial purpose and the further processing purpose, an employer may use an applicant's email to send notifications of future job openings even if the applicant was not notified of this before his personal data was collected. This is because being notified of future job openings is related to the indicated purpose of assessing the applicant's qualifications for a job. However, sending the applicant emails not related to the job application will offend this requirement and will require the employer requesting the applicant's consent. Alternatively, further processing is permissible if it is solely for scientific research, historical research, statistical purposes in the public interest, or if it is required to comply with a legal obligation.33 Whether this exception will apply to job applications will depend on the circumstances of each case and remains to be seen.
6. AUTOMATED DECISION-MAKING (ADM)
ADM, as has been previously defined in this work, refers to automated decisions entirely based on automated processing, without any human involvement. Therefore, when a data controller configures a technological system to process personal data in a manner where decisions are made without human input, they are engaging in ADM. Where this decision is such that will produce legal or similar significant effects concerning the data subject, the data subject has a right not to be subject to the ADM.34 Consequently, this right applies only when the ADM will produce legal or similar significant effects on the data subject. What is meant by “legal or similar significant effects”? The NDPA does not specify, but some guidance is provided in the Information Commissioner's Office (ICO) guide, which explains this expression as used in the United Kingdom General Data Protection Regulation. The guide explains as follows:35
“A decision producing a legal effect is something that affects a person's legal status or their legal rights. For example, when a person, in view of their profile, is entitled to a particular social benefit conferred by law, such as housing benefit. A decision that has a similarly significant effect is something that has an equivalent impact on an individual's circumstances, behaviour or choices. Other similarly significant effects include automatic refusal of an online credit application; or e-recruiting practices without human intervention.” (Underlining added)
Hence, in the context of job applications, if an employer employs an Applicant Tracking System (ATS) to screen job applications and configures the ATS to automatically accept or reject applications without human intervention, the employer is engaging in ADM. Furthermore, following the guide above, it appears that the effects of such ATS decisions fall under the category of “similar significant effects”. The point here is that an applicant whose job application may be accepted or rejected by an ATS has the right to be informed and also the right not to be subject to such a decision.
Nevertheless, this right not to be subject to ADM is not absolute and ceases to apply when the data subject has given consent to the ADM, when the ADM is necessary for entering into or performing a contract between the data subject and a data controller, or when the ADM is authorized by written law, which establishes suitable measures to protect fundamental rights and freedoms and the interests of the data subject.36 In the context of our discussion, we can rule out authorization by written law as an applicable exception. This leaves us with the data subject's consent and the necessity for entering into or performing a contract between the data subject and the data controller as the applicable exceptions.37 Thus, an employer can rely on the applicant's consent (if obtained) or the contractual necessity exception to use ATS for automatically accepting or rejecting applicants' applications.
However, even if the data subject has consented to ADM or the data controller is relying on the contractual necessity exception to engage in ADM, the data subject still retains the right to request human intervention from the data controller, express his point of view, and to contest the automated decision.38 Consequently, when an employer's ATS automatically rejects an application, the applicant has the right to contest the rejection, request a human review, and present their viewpoint.
Therefore, employers using ATS have two options. The unethical option is to conceal the use of ATS from applicants in an attempt to evade compliance with ADM-related provisions of the NDPA. However, this approach may not hold up under a thorough data protection audit and is thus not advisable. The second and ethical option is to configure the ATS in a way that it preselects applicants for acceptance or rejection. This allows a human being to assess the ATS's selections and make the final decisions. This approach eliminates the need to notify applicants of ATS usage and associated rights since ATS does not make the decision to accept or reject applications, and therefore, the employer is not engaged in ADM.
7. CONCLUSION
In conclusion, for employers in Nigeria, adherence to the NDPA is not just a legal requirement but also a fundamental ethical obligation. Balancing technological efficiency with respect for applicants' privacy rights is essential. Navigating this balance requires meticulous attention to the nuances of data protection laws, transparency with applicants and a commitment to ethical recruitment practices. As the digital space continues to evolve, employers must remain vigilant, adapting their processes to ensure they meet both legal and ethical standards in job applications. This article underscores the importance of legal compliance and data protection in job applications in Nigeria. Employers are encouraged to understand and adhere to the NDPA's provisions to create an effective and ethically sound recruitment process that respects the rights and privacy of job applicants. Compliance with these principles not only ensures legal conformity but also builds trust with potential employees in an increasingly data-driven world.39
Footnotes
1. Kelson Emmanuel, Trainee Associate, Dispute Resolution Department, S.P.A. Ajibade & Co., Lagos, Nigeria.
2. Nigeria Data Protection Regulation 2019 (NDPR), and Nigeria Data Protection Regulation 2019: Implementation Framework, 2020 (NDPR:IF).
3. See section 65 of the NDPA.
4. See https://iapp.org/resources/article/automated-processing/ accessed on 30th September, 2023.
5. See section 65 of the NDPA.
6. Ibid.
7. See Article 4.1.1 of the NDPR:IF.
8. See section 65 of the NDPA.
9. Ibid.
10. See section 25 of the NDPA.
11. Section 65.
12. See section 26(7)(b).
13. See section 65.
14. See section 26(5).
15. See section 26(2) of the NDPA.
16. This aligns with the principle of data minimization, which discourages the collection of more data than necessary for a specific processing purpose. See section 24(1)(c) of the NDPA.
17. See Article 5.2(c) of the NDPR:IF.
18. See section 27 of the NDPA.
19. See section 24(1)(a).
20. See article 5.2 of NDPR:IF & section 26(7)(a) of the NDPA.
21. See section 26(1) of the NDPA.
22. See section 25(1)(v).
23. See section 25(2).
24. See section 27(1) of the NDPA.
25. See section 27(3).
26. See 27(2).
27. Ibid.
28. See section 24(1)(b) of the NDPA.
29. Ibid.
30. See section 24(4)(a) of the NDPA. See also, article 4.1.1 of the NDPR:IF.
31. These factors function conjunctively.
32. See articles 4.1.2(a) & 5.3.1 of the NDPR:IF.
33. See section 24(4)(b) of the NDPA and article 4.1.2(b) & (c) of the NDPR:IF.
34. See section 37(1) of the NDPA.
35. See https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/automated-decision-making-and-profiling/what-does-the-uk-gdpr-say-about-automated-decision-making-and-profiling/ accessed on 29th September 2023.
36. See section 37(2) of the NDPA.
37. The relevant arm of the contractual necessity exception pertains to the necessity for entering into a contract rather than the performance of a contract itself. This is because it is necessary for an applicant's application to be accepted by the ATS in order to enter an employment contract with the employer. It is important to distinguish this from the contractual necessity basis for data processing discussed earlier. Unlike the contractual necessity basis for processing, the NDPA does not include any provisions regarding data subjects requesting the data processing using ADM.
38. See section 37(3) of the NDPA.
39. For more information on data protection, see: Bisola Scott & Oreoluwa Adebayo, ‘Data Protection Rights and Obligations in an Employer – Employee Relationship in Nigeria', available at https://spaajibade.com/data-protection-rights-and-obligations-in-an-employer-employee-relationship-in-nigeria-bisola-scott/, Sandra Eke, ‘Essential Data Privacy and Protection Policies Every Organisation Should Have', available at https://spaajibade.com/essential-data-privacy-and-protection-policies-every-organisation-in-nigeria-should-have/.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
