Psychometric Testing - a privacy quagmire?
Lots of organisations use psychometric testing to assess intelligence, abilities, potential and personality of their candidates and employees.
It is an established process and not one that will come as a surprise to your candidates and employees. But have you considered the privacy implications of undertaking these tests?
Firstly, what is your lawful basis under Article 6 of the GDPR?
If you are relying on consent, what alternative are you offering the candidates and employees if they indicate they do not want to take the test. Is that just game over? You may be missing some excellent talent. More on consent later.
If you are relying on legitimate interest, have you done a legitimate interest assessment?
And would this need a data protection impact assessment? I’d think so. But maybe not for the reason you think. Certain regulators consider the data that is collected in these tests to be health data.
Eeeek now what’s your Article 9 condition for processing in GDPR land? Consent perhaps? That feels right, however hurdles still exist with demonstrating that the consent was freely given in the employment context and therefore must be carefully considered.
It has been a while but let us remind ourselves about what the EU working party 29 said about this;
"In cases where an employer says they require consent and there is a real or potentially relevant prejudice that arises from the employee not consenting (which can be highly probable in the employment context, especially when it concerns the employer tracking the behaviour of the employee over time), then the consent is not valid since it is not and cannot be freely given. Thus, for most of the cases of employees’ data processing, the legal basis of that processing cannot and should not be the consent of the employees, so a different legal basis is required".
And what are you going to do if you are a global organisation navigating the muddy waters of multiple privacy legislations? Some countries do not have legitimate interest as a lawful basis, some are more consent driven.
Oh, and one last thing (I am the Columbo of privacy this week), are you prepared to hand the report over in full to the individual? If not, then should you even be doing this?
None of the points raised are insurmountable but, just because your organisation was doing this before the GDPR* was enacted doesn’t mean you don’t have to give it a thorough privacy review.
*other privacy legislations are available
See below for links to other relevant material
Webinar: Brexit, adequacy and international data transfers -
A federated approach to privacy and shared services-
https://www.securys.co.uk/blog/a-federated-approach-to-privacy-and-shared-services