In 2010, Oxfam aid workers were stationed in Haiti after the devastating earthquake left millions of people homeless. A year later, Oxfam was made aware of allegations that some of its aid workers had used prostitutes in Haiti whilst working on the relief effort. Oxfam, one of the UK’s largest charities, dismissed four members of staff and 3 others resigned while under investigation. This included the former Haiti Country Chief, Roland van Hauwermeiren.
There is no doubt that the behaviour of some Oxfam staff was inexcusable and rightly the case brought to public attention the need to prioritise safeguarding. The Deputy Chief Executive of Oxfam resigned when the scandal broke in the media and the organisation pledged to increase the resources dedicated to safeguarding. The Department for International Development also announced they would introduce new standards that all aid organisations would be required to comply with.
In all the media attention, one of the main points of criticism of Oxfam in this case was that staff, who had admitted to wrongdoing, were able to go on and work for other agencies in the sector. For example, Roland van Hauwermeiren went on to work as Action Against Hunger’s Country Director in Bangladesh from 2012 to 2014, a charity which reported that ‘they received no information regarding the inappropriate and unethical behaviours of Roland van Hauwermeiren when he was with Oxfam in Haiti nor any warning on the risks of employing him’. As a result the Government ordered Oxfam to provide the Charity Commission with files on the implicated staff.
Many organisations have safeguarding responsibilities, or requirements that mean that their employees must meet certain criteria to ensure that their business activity is safeguarded. As a result it is important we all understand those responsibilities and how to execute our duties, while complying with the GDPR. What we must remember is that the GDPR doesn’t say that you are not permitted to hold personal data, but that the onus is on organisations to be able to demonstrate why it is necessary to keep information. So for safeguarding purposes for example, if you are clear about your reason for retaining data then you can retain it. But what the Oxfam case shows is that keeping data and how you keep data is only half of the issue.
Oxfam came under fire for not sharing information about their former employees. So can we share data under the new regulations and if we can, what data can we share and who with?
Under the GDPR, the legal basis for providing a reference for example is likely to be consent i.e. that the individual has consented to the data being processed. In practice this means that we need to check our referencing policies and procedures to ensure that before we give a reference about a former employee to a prospective employer, we can evidence express consent to do so. Not having consent is likely to mean that information is being shared unlawfully. This consent will still be needed where the information is considered fundamental to the running of a business or the principles of safeguarding, even where sharing information could prevent or reduce the risk of harm to vulnerable adults and children.
So what if an employee who is considered to pose a safeguarding risks refuses consent for a reference?
Firstly, it is still perfectly acceptable for an employer to withdraw an offer of a role without acceptable references. It is highly recommended that all organisations consider carefully the process of seeking references and only offer to employees who are able to demonstrate a clear history of employment, even when safeguarding is not relevant to their activity. This is just good practice and even where safeguarding is not been an issue, at the very least taking a chance on a candidate without references can result in months of poor performance or conduct procedures both during and after probation that could so easily have been avoided.
Secondly, as employers we must not forget our responsibilities to report concerns where they are in the public interest such as reporting safeguarding concerns. By doing so we take the focus away from referencing and ensure that the Disclosure and Barring service is able to provide up to date information to prospective employers. Where such data may be shared in this way by your organisation it is essential that this is clearly stated in your employee Privacy Notice.
Ultimately, it is imperative that we don’t allow history to repeat itself. We all need to take on our bit of responsibility for keeping the sectors that we operate in safe and professional. Individuals who breach our universal and reasonable standards, in place to protect jobs, livelihoods and most of all those who need protection the most, then they need to know that they will be held to account.
In relation to GDPR, it is clear that information sharing is going to be increasingly challenging as we interpret and bed in the new standards but as long as we remember to clearly define how and why we retain and share people’s data, we will still be able to uphold our duty and find the right balance between compliance with Data Protection law, protecting our organisations and above all safeguarding vulnerable people.