GDPR

GDPR Analysis and Policy Statement

Last updated 9/20/2019

 

ANALYSIS TOPIC

Can Censia use legitimate interest as a lawful basis for processing of personal data aggregated from publicly available sources and provided by data enrichment services?

 

EXECUTIVE SUMMARY

Censia arguably has a legitimate interest in processing personal data aggregated from public data sources and provided by data enrichment services because Censia’s interest outweighs any potential harm to the data subjects as evidenced by the LIA below.

 

ANALYSIS

Censia Practices

Censia provides its customers with job candidate identification and evaluation tools that use data from collected from job boards (such as LinkedIn), publicly available information, and data enrichment providers. When collecting data from job boards, only data that the data subject has marked as “public” is collected. Data available only available to a data subject’s LinkedIn “connection,” for example, is not processed. Censia uses this data (along with other data) to generate a candidate profile that Censia shares with its customers: hiring employers. Censia does not have a direct, contractual relationship with the data subjects whose data it processes in this way.

 

Legitimate Interest under the GDPR

Under Article 6 of the GDPR, entities must have a lawful basis for processing EU personal data. One lawful basis permitted by Article 6(1)(f) is where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” Additionally, Recital 47 of the GDPR provides additional guidance on legitimate interest:

  • The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate, the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could, in particular, override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.

Article 6(1)(f) essentially requires a balancing test to determine if the controller’s interest outweighs the data subject’s rights, interests, and freedoms. How to conduct such a “legitimate interest assessment” (“LIA”) is not discussed by the GDPR, but European Data Protection Authorities (such as the UK’s ICO) and prominent privacy groups have provided guidance. For example, the ICO says that legitimate interest is “likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact… if [the data subject] would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.”

The ICO states that an LIA can be broken down into a three-part test:

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the individual’s interests override the legitimate interest?

 

Legitimate Interest Assessment (“LIA”)

Censia’s Identified Interest (“Purpose Test”)

The ICO has identified the following questions as relevant for the purpose test of a legitimate interest analysis, and Censia has answered them as follows:

Why do you want to process the data – what are you trying to achieve?

Censia is processing the data in order to match the data subject with a prospective employer using its Services.

Who benefits from the processing? In what way?

The data subject benefits from processing because they can be matched with potential employers which may lead to job opportunities or career advancement. Employers benefit because the processing results in them finding candidates better tailored to their roles. Censia benefits by being able to provide its services to employers. 

Are there any wider public benefits to the processing?

Efficient candidate sourcing provides better job outcomes for those searching for employment.

How important are those benefits?

The benefits to data subjects and employers are important. For data subjects, in many cases finding career opportunities was the reason they made their personal publicly available in the first place. With that in mind, Censia’s processing can be seen as a crucial benefit to the data subject if such processing leads to a new career opportunity.

What would the impact be if you couldn’t go ahead?

Censia would be unable to provide its services and would have no viable product. Data subjects would be less likely to receive career opportunities matched for their aptitudes as well as career opportunities in general. Employers hiring practices would be less efficient.

Would your use of the data be unethical or unlawful in any way?

Likely no. The personal data processed here is low risk in nature and Censia’s processing activities are non-invasive to the data subject. Ethically, Censia’s processing is identical to what recruiters and human resources professionals do on a daily basis, and those activities are seen as reasonable and expected.

 

Censia’s Necessity for Processing (“Necessity Test”)

The ICO states that for legitimate interest to be a valid basis of processing “the processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply. ‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose.”

The ICO has identified the following questions as relevant for the necessity test of a legitimate interest analysis, and Censia has answered them as follows:

Does this processing actually help to further that interest?

Censia’s processing demonstrably improves matches between data subjects and employers and leads to more and better hires. Censia has significant quantitative and qualitative evidence to support that Censia’s processing helps further the interest of better matching employers and candidates.

Is it a reasonable way to go about it?

Censia processes only personal data which significantly aid in matching a data subject with a potential employer. The data types processed (such as career and education information, contact information, work experience) are reasonably necessary for the purpose. Additional data that would not materially improve Censia’s ability to match a data subject with a potential employer is not processed.

Is there another less intrusive way to achieve the same result?

No. Censia’s services represent a significant improvement over traditional candidate recruiting and evaluation. Censia’s processing is necessary to provide the advanced services to employers that Censia provides. The processing is minimally intrusive.

 

The Rights and Interests of the Data Subjects (“Balancing Test”)

The ICO states that for legitimate interest to be a valid basis of processing “you must balance your interests against the individual’s… if they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.”

The ICO has identified the following questions as relevant for the necessity test of a legitimate interest analysis, and Censia has answered them as follows:

What is the nature of your relationship with the individual?

The data subject has made certain information available for career and other public purposes on the expectation that such information may be used by third parties for purposes like matching the data subject with employment opportunities.

Is any of the data particularly sensitive or private?

No. All data is high-level publicly available personal data, commonly available via the use of basic internet search or through public postings. The data is similar to what might be accessed by a third party recruiting or HR professional.

Would people expect you to use their data in this way?

In many cases, the data subject may even hope that data is processed by Censia so that they can be matched with a potential employer. Many data subjects made their data public in the hopes of finding a career opportunity. In other cases, data was made public by data subjects who understood that it would be available and accessible to third parties.

Are you happy to explain it to them?

Yes. Though parts of the processing are complex, the purpose and goal of the processing is not and is easily explainable to a data subject. Censia is happy to do so and is confident that the majority of data subjects would appreciate the chance at additional career opportunities.

Are some people likely to object or find it intrusive?

It is unlikely that a data subject would find it intrusive, Censia’s processing does not use data that is not widely and publicly available or data types that are more sensitive or not commonly processed by a wide range of entities. It is always possible that a data subject objects to any form of processing, but Censia believes this would be a rare data subject.

What is the possible impact on the individual?

There is very little negative impact on the individual. In most cases, individuals will not know that an employer has decided not to pursue them for a role. Even in a catastrophic data breach (which Censia has taken reasonable steps to prevent), the personal data exposed would already be available to bad actors through multiple other channels with less effort.

How big an impact might it have on them?

Any negative impact would be extremely small. It would likely amount to certain employers having high-level data about the data subject that the data subject would not have spent effort to disclose to the employer on their own, or rejection for a role that the data subject would likely not have even been identified as a possible candidate for without Censia’s services.

Are you processing children’s data?

No, and have taken reasonable steps to insure so.

Are any of the individuals vulnerable in any other way? 

Not that Censia has identified.

Can you adopt any safeguards to minimize the impact?

Censia is focused on data protection generally and has taken a variety of measures to minimize impact to data subjects such as securing processed data, data minimization, and data quality initiatives. Censia also reviews its service providers and data enrichment providers, conducting due diligence to help ensure they treat data properly.

Can you offer an opt-out?

Yes, Censia would honor all opt-out requests and would not seek exceptions to the opt-out requirement.

 

Conclusion

The LIA set forth above includes the justification for Censia’s legitimate interest processing. Censia has concluded that its legitimate interests outweigh and risk to the data subjects and thus processing is permitted on the basis of legitimate interest.