The Finnish Data Ombudsman ruled in November that employers can not use information on their current employees or prospective hires which is obtained by using Internet search engines, such as Google or Yahoo. Employers must collect employee’s personal information primarily from the employee; use of other sources assumes consent from the employee. The Ombudsman’s decision may make life more difficult for HR personnel, as employers may not even check the reliability of a job applicant’s CV from publicly available sources on the Internet without first obtaining the applicant’s permission.
The Ombudsman’s statement was given in response to a job applicant’s complaint that an employer had used a five-year old news group discussion found on the Internet against the applicant. In the news group discussion, the applicant claimed to be mentally unstable. The applicant was not aware how the news group discussion ended up on the Internet.
Under the Protection of Privacy in Working Life Act, an employer may collect information on its employees or job applicants primarily from the employees or job applicants themselves. If "other sources" are used, consent from the employee or job applicant must be obtained. Such "other sources" also include data networks like the Internet. If the employee or applicant does not give his or her consent, the employer may obtain such data without permission only if a) the data is "directly necessary" for the purpose of employment and b) the data is needed for the purposes of evaluating the employee’s or job applicant’s reliability. However, not every job entitles the employer to obtain personal data without the employees consent. Such jobs include only those where employees are responsible for employers’ assets or the employment requires particular reliability, such as positions in airports or nuclear power plants. In all cases, the employer must notify the employee in advance that personal data will be obtained from external sources. Further, before any data is used as a basis for the employer’s decisions, such data must be presented to the employee. Deliberate violation of the Protection of Privacy in Working Life Act is punishable by a fine or imprisonment up to one year.
The Ombudsman also noted that information obtained from the Internet is not necessarily reliable and, as such, does not meet the general requirements of good data processing practices set forth in the Data Protection Act. The act provides e.g. that data processors must act diligently and must use only reliable data sources. Information on the Internet is in many cases outdated, its accuracy is not verifiable, and with respect to personal information, it is often not possible to ensure the information relates to the person in question.
It is not known whether the Data Ombudsman’s ruling has any impact outside Finland. However, privacy laws in Finland are the strictest in the EU and not many countries have specific laws on privacy in working life. Finnish law sets forth clear restrictions on the use of personal information available on public social networking sites such as LinkedIn or MySpace or information in increasingly popular blogs and IRC gallerias. Thus, although information may be found on the Internet, you may not be able to use it freely!
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
