With significant advancements in recent years, the employment verifications landscape has become increasingly competitive and employers now have a wide range of options available at their disposal. However, for some screening providers, the temptation to deviate from the path of compliance, in pursuit of efficiency and speed, has become evident. At face value while the solutions may look above board, upon closer inspection their apparent compliance is undermined.
More specifically, the adoption of credential accessing tools and data scraping by several organisations, particularly while accessing HMRC and payroll employment data, has raised significant legal and ethical concerns. In this article, we’ll look to shine a spotlight on the red flags employers can look out for, the risks associated with such practices and to advocate for a more secure, compliant, and efficient approach to employment verification like Giant’s instant employment verification service.
If you suspect that your current provider may be taking this approach, or are actively looking for a fully compliant alternative, we advise employers to request a review of the candidate journey or to contact us. This is essential as employers are at risk if the candidate does not login in directly to HMRC, and then provide permission for data sharing within the HMRC platform or if candidates are being asked to select their payroll provider or enter login details.
The use of credential accessing tools involves collecting login details from applicants, once the technology has obtained these login details, a machine will mimic the digital footprint of the user, enter the login details and will then navigate the pages to scrape data — this is a practice fraught with legal and ethical pitfalls as we’ll explore:
GDPR violations: This method directly contravenes the General Data Protection Regulation (GDPR), misleadingly citing the "right to portability" as a justification. The right to portability does not apply to data that isn’t generated by the individual, and also only applies to data that the individual has provided to a controller and which the controller is processing in reliance on the lawful basis of consent or performance of a contract.
Should a company be found to infringe GDPR, including the data processing principles, lawfulness of processing or the conditions of consent they could be faced with extremely high fines for non-compliance, and at the higher level this may include:
• £17.5 million under the UK GDPR
• €20 million under the EU GDPR
• Or 4% of annual global turnover
Legal repercussions: Beyond GDPR, such practices also breach the Computer Misuse Act, incurring potential criminal liabilities for both the providers and their clients. This includes time in prison, and unlimited fines – not to mention the significant legal and reputational risks to the business. Seeing, storing, or processing a user's login details even if only for a second is also in breach of all InfoSec best practices. It is also a potential infringement of database rights and The Data Protection Act. Users of this type of solution therefore expose both themselves and their clients to these risks.
Misrepresentation risks: Fabricating official integrations or using counterfeit branding can lead to litigation and substantial reputational damage, as evidenced by similar incidents in the United States. From what we’ve seen and heard, we know that requiring users to provide a third party with their HMRC login credentials directly breaches the terms HMRC has with taxpayers and the same goes for employers inducing the breach. HMRC makes it very clear that individuals are not permitted to share their logins with any third party as seen below:
Against this backdrop, it's essential for companies to find the vital balance between compliance, efficiency, and innovation and with Giant’s instant employment verification service, you’ll be safe in the knowledge that you’ll always be compliant – from instant employment verification to criminal record checks we maintain 100% compliance with local laws and global regulations whatever the service or wherever the country.
We’re proud that our service is built on compliance and security – and of course has user consent and authorisation at its core - setting a benchmark for the industry. We will never ask candidates for third party login details, but instead they login directly with the authoritative data source, and therefore we never see or store them. This is a tried-and-tested approach, and on average, 85% of candidates connect at least one data source, and 90% of candidates choose to connect banking.
What also sets this service apart, is that insights are combined from multiple sources, for a holistic view of employment for up to 6 years. These sources include:
1. Open Banking, which is regulated by the FCA. Users don’t share any login details and biometrics are used directly between candidates and their bank.
2. Payroll access, our service has exclusive access across UK payroll providers for pre-employment screening. Again, no login details are required and candidates aren’t asked who their payroll provider is.
3. HMRC, this is via a direct integration which is formally recognised with HMRC. Users log in to their own Government Gateway account and grant permission. No login details are shared.
It’s important to note that those currently using a service that features a credential accessing tool, or suspecting as much, will miss out on wide range of verifiable information, including:
• Employment verification, including Job Title where Payroll is used
• Undeclared employment flags
• Discrepancies between declared employment and verified employment
• Off-payroll employment, low income work and gig work not available on HMRC
• Gap in employment verification. Not just dates, but verification on what the candidate was doing during this time using Open Banking data
• And very soon self-employment verification
Discover the transformative benefits of our Instant Employment Verification Service in our latest article. This innovative solution not only turns a process that traditionally took weeks into a matter of seconds but also addresses challenges such as moonlighting and overemployment head-on. If you haven't explored the article yet, we invite you to do so here.
In a sector where trust and reliability are the bedrock of success, our commitment to regulatory compliance and industry best practices doesn't just fulfil a legal obligation—it sets us apart in the competitive landscape.