A (gentle) introduction to data privacy regulations for IO Practitioners

In previous articles, we’ve mentioned the growing importance of data privacy and security initiatives such as the General Data Protection Regulation (GDPR) and the Protection of Personal Information (POPI) acts. In response to scandals like the Cambridge Analytica debacle, the world has become more aware of the dangers of loosely applied (or absent) regulations regarding personal information.

At their roots, data privacy acts are there to ensure that individuals know when, how and why data about them will be collected, and to what use such data will be put. Privacy acts like GDPR wants full disclosure to be given to individuals so they can, in turn give informed consent (or not) for their personal data to be collected and used.

With the application of such acts, IO Practitioners will be working in a new environment of data privacy that will ensure greater protection of consumers’ personal information and concomitantly severe penalties for businesses that do not comply.

Of course, veteran IO Psychologists are familiar with keeping personal information safe. In the old days, such information was often stored in an actual safe! But in a digital world, the definitions of data, protection, and what is considered truly “safe” are far more complex.

In this brief introduction to the topic, we will clarify some of this complexity and hopefully empower you to navigate the data privacy landscape with greater confidence.

Data control versus processing.

A critical distinction that most data privacy legislation holds dear is that of data controllers and data processors. This potentially confusing distinction has important consequences for IO Practitioners working with assessment data on behalf of their clients. Here are the basics:

  • Data controllers are the people or organisations who initiate the collection on data. They also determine the ultimate purpose that the data will be used for. Controllers assume primary responsibility for data privacy and security.
  • Data processors are people or organisations who (sometimes) collect and process data on behalf of data controllers. They determine the technical aspects of collecting data. Although processors don’t have primary responsibility for data privacy and processing, they are liable for breaches of privacy and security regulations.

What does this mean for IO Practitioners?

Put simply, most IO Practitioners and consultancies are both data controllers and data processors. Why?

Client companies are always data controllers. They initiated the collection of assessment data and will determine the ultimate use of the data (e.g. informing their selection decisions).

But for IO Practitioners, things are a bit more complex. We have a dual role:

1.     We collect and process assessment data on behalf of our clients (i.e. data processors). In this regard, we are processors because we handle the technical aspects of data collection (e.g. sending online assessment links, candidate instructions, etc).

2.     But to the extent that we decide on the actual assessments used, the way we interpret the data, and the methods of making recommendations, we act as data controllers in respect to providing assessment reports.

A common misconception is that there can only be one data controller and one data processor. But this is not the case. The roles of controller and processor depend on what we do with data at various stages of data collection. So at different points along this process, IO Practitioners can wear both controller and processor hats.

An example

So, in a typical assessment situation, an IO Psychology consultant is commissioned by a client company to conduct selection assessments on a pool of candidates. In this context, the client company is acting as a data controller. The client company controls the ultimate purpose of the data, in this case to inform their talent decisions.

When the IO Psychologist accepts this task and sends assessment links to candidates, they act as data processor. When they design the assessment battery, formulate the assessment strategy, interpret the results and make recommendations however,  they are acting as data controllers.

Protecting privacy and security of data

Since IO Practitioners act as both processors and controllers of data, we’ll look at each role’s respective responsibilities separately.

As data processors, we have a primary responsibility to our clients (the data controllers) as well as candidates regarding the following:

  • Only processing data as instructed and only when these instructions comply with data privacy regulations. For instance, IO Consultants cannot use the data they gain from assessments for their own gain (i.e. passing it on to recruitment companies) without the explicit permission from their clients.
  • In addition, we are obligated to inform our clients when an instruction they have given us infringes on data privacy. So, if a client instructs an IO Practitioner to publish private information (a candidate’s name and assessment results) in the public domain without the consent of the candidate, we have to object.
  • We are also obligated to take sufficient measures, based on international best practices, to secure data. This includes digital security as well as backups of data and disaster recovery. As an example, an IO Practitioner who keeps assessment data on her personal laptop without any password protection or hardware encryption may well be liable for data breaches that originate from that device.
  • When we use third-party companies to help us process or collect data (such as product vendors), we need to ensure that they are also compliant with data privacy regulations and will need to share liability with them if there are any data breaches. So if an IO Psychologist uses an unsecured website built by another vendor and a data leak occurs, the Psychologist will be liable along with that website’s owner.

Additional considerations

There are other, more nuanced aspects to what we’ve covered above. For instance, there are questions around when product vendors, not the consultants who use them, may also act as data controllers.

In addition, we haven’t tackled the key issue of what kinds of information is considered sensitive and thus covered by privacy regulations. In future articles in this series, we’ll discuss these important concepts fully.

Next time, we’ll be covering these and other key concepts in the world of data privacy. Until then!


If you’re interested in TTS’s services and solutions, why not drop us a line at: info@tts-talent.com