The devil is in the e-mail
The banks themselves were already paranoid about the dangers, and their concern has spread to the recruitment process. From now on, anyone who wants to rubbish an unsatisfactory candidate should do it on an unrecorded telephone line.
This is the message investment banks are sending out to their own staff and the recruitment firms that find their employees. Martin Armstrong, founding partner of headhunter Armstrong International, says the need for caution is being strongly impressed upon recruiters.
"Banks are saying 'be very careful what you write about people'. There is a sense that writing robust views on weak candidates in e-mails could result in recriminations."
US banks are particularly sensitive to the dangers, says Armstrong. Thanks to the famously incriminating e-mails sent by Merrill Lynch analyst Henry Blodget, in which he rubbished stocks he was publicly recommending, US firms have lost their naivety when it comes to electronic communication. Their fears now extend to e-mails about almost any subject.
The guidelines that Citigroup issues to employees are typical: "Messages should be concise and directed to those individuals with a need to know." Employees are also reminded that messages could be used in legal actions against Citigroup. Internal e-mails are likely to be relevant in current US investigations into allegations that the bank allocated IPO stocks to investment banking clients.
In the US, matters are made worse by the fact that e-mails must remain accessible long after they were sent. The Self Regulatory-Organisation rules, which are enforced by the Securities and Exchange Commission, say that organisations must keep all business communications - both internal and external - for a minimum of three years. There is no such provision in the UK, but equally disturbing from an employers' perspective is the 1998 Data Protection Act (DPA), which came fully into force last October. This gives employees the right to read all personal data that an employer is storing on them.
Peter Carey, author of Data Protection in the UK and a consultant at solicitors Charles Russell, says that the DPA gives employees access to casually dispatched e-mails concerning them, just as much as to information that has been deliberately stored.
The full implications of the DPA have yet to be felt. But it is already causing concern. The head of human resources at one bank said: "The whole thing is a source of very real problems. People can have access to their files and can see everything that is written there. It's a very sensitive subject."
Individuals are catching on to their new rights. A recruitment executive at another bank said a number of people had already asked to look at their files. As a result, unfavourable comments are now being made by word of mouth instead of being written down. "It's only sensible to do everything on an unrecorded telephone line. E-mails are a smoking gun," the recruiter said. Banks appear particularly concerned about litigation resulting from the DPA. A survey undertaken by Zebra, a recruitment consultancy, found that 53% of employers in the financial services sector felt exposed to legal challenges.
Katrina Hale, a consultant at Zebra working as an interim recruitment manager at stockbroker E*Trade, says the new law is revolutionising the way recruitment is managed. Not only are subjective e-mails concerning candidates best avoided, but so too are thoughtless remarks written on paper by hiring managers. Even if a candidate is not hired, they now have a right to see all notes made about them. Hastily scribbled comments about a candidate's gender or race, for example, could have damaging consequences.
To escape this problem, Hale says that employees are being encouraged to take responsibility for providing personal information. "The application process is moving towards candidates filling out detailed forms themselves. This way, personal information is provided in their own words," she says. Computerised forms have the added advantage of enabling organisations to systematically purge information stored, which is also a requirement of the DPA.
Under the DPA, employers have up to 40 days in which to provide candidates with copies of personal data. If suspected pejorative e-mails or other data are missing, employees are able to complain to the Information Commissioner, an independent authority set up by the UK government. Last month, the commissioner promised to take a tougher line with non-compliant firms.
It is easy to see why this is proving something of a problem for employees. Carey says that many employment tribunal cases based on evidence retrieved as a result of the DPA are in the pipeline. A human resources manager adds: "We're just treading water and hoping that we're not doing too much damage."