Connect with us



How Consent forms and Data Protection Laws come in the way of Academic Verifications.


consent for verification

Why is there a need to make educational qualifications a public record? Image: Pixabay

If you are an employer and trying to hire, be careful as résumé frauds are rampant. Some candidates are tempted to fake their academic qualifications in response to a position that they’re applying which requires a certain degree. They think it’s okay to lie a little about their experience or qualifications.

The question is why are candidates lying about their qualifications even though they are aware that they may be verified?

While most take their chances, some are aware that their qualifications cannot be verified without their consent and it is also a fact that most employers don’t verify qualifications.  Also, an employer cannot make an offer of employment that is dependent upon consent or embeds a consent clause permitting to verify in an employment contract. Consent is something that needs to be given freely.

The requirement of consent to verify qualifications or background is true if the candidate has a degree from a foreign country.

Data privacy acts in many countries in Europe, and in countries such as the USA and India prohibit educational institutions from disclosing education records without students’ consent.

How is consent defined in the Data Privacy Act of EU?

According to the GDPR Act, Article 4(11) of the GDPR defines consent as:

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

It means that the consent must be specific, unambiguous and freely given by the candidate agreeing to the processing of his or her personal data. It may be difficult for employers and organizations to show freely given consent for background screening.

It is imperative to obtain an individual’s consent to verify their personal data or conduct any form of background screening. The GDPR, also, permits individuals to withdraw consent at any given time during the background screening process and even object to the process.

Regulations on background screening and verifications can vary from one country to another and any violation of these regulations could result in serious repercussions. A legitimate verification request should include the inquiry data and proper evidence of consent.

For example, GDPR, which has an extraterritorial application, mandates that when personal data of EU residents is transferred to non-EU countries, these nations have to provide data protection. GDPR applies to any data/information collected while the individual was in the EU, regardless of their current nationality or location.



Download PDF here   (Image: GDPR infographic)

Any violation of the regulation can invite huge fines. Companies will have to follow the local as well the global laws for compliance.

A survey revealed that in India, 41% of job applicants are untruthful about their educational qualifications.  The resumes were either embellished with false experiences or fabricated with fake qualifications.

Some candidates may not have a proper degree as they might have purchased these degrees from fraudulent companies known as diploma mills. They are mostly websites calling themselves Universities or Institutes. They have no courses, no campus, and no professors. They are mostly unaccredited and not recognized by any legitimate accreditation authority. It is very difficult to conduct a background screening in such cases as these companies offer free verification service for their students as part of the deal.

In 2015, the New York Times reported on a global network of bogus institutions consisting of 3,300 fake universities that sold fake certificates for all kinds of degrees all over the world. It was estimated to be a billion-dollar industry.

While the process of verification by employers has its challenges, verification of educational qualifications of any other person other an employee is even more difficult.

To understand the concept of ‘consent’ and ‘data protection’ in this context, let’s imagine this scenario.

Anita runs a non-profit organization in India offering public healthcare services and training. Anita claims to have a degree  from a reputed University in the UK. However, the work of her organization, her training, and experience do not convince John, who is a recipient of the services. He doubts her credentials and does not believe that she is a subject expert. John grows suspicious of her qualifications and decides to verify if Anita was actually awarded a degree or not. John is not wrong in suspecting Anita as there are many cases where CEOs of top companies and some eminent academicians had faked their degrees in the past.

John writes to the University in the UK seeking information on Anita’s degree. by providing them with all her details including her full name, date of birth and the name of the degree.

This is the reply John gets from the University upon receiving the request.


“Dear John,

We are unable to process your request for information on ‘Anita’. Before we can confirm any details regarding ‘Anita’ I will need to receive a signed declaration of consent from the individual, giving us permission to share any details we may have regarding her. We will not be able to release any information regarding past students without their consent. This is in accordance with the Data Protection Act/GDPR which we must comply with.”


Now, if John’s suspicion was right and Anita is a fraud lying about her qualification, then her consent will be difficult to obtain.

Given that Anita had publicly announced her qualification and wished to be known by her qualifications, why does the university treat this information as confidential? John did not ask for date of birth, address, mark sheets, or any potentially sensitive data such as race, religion, marital status, credit or financial data.

All John wanted to know was whether Anita was awarded the degree or not? The details of a person’s degree are a matter of public record and the University should consider providing the information in all cases except where individuals have specifically requested for their personal information to be kept confidential.

EU General Data Protection Regulation (GDPR)


EU General Data Protection Regulation (GDPR)  is designed to provide one set of data protection rules for all companies operating in Europe and protect all EU citizens’ data privacy. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

Let’s first understand the concept of ‘personal data’ in the given context.

GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

As per the regulation, ‘Personal data’ is information that relates to an ‘identified’ or ‘identifiable’ individual.

When a student applies to study at the University they provide the University with some personal data. The University is obligated to collect and process personal data in a fair and transparent manner. They cannot divulge any information unless there is written consent from the student or in the case of a legal requirement such as a police investigation.

If any person seeks data about a student, he should provide evidence that the student has given explicit written consent to the verification request prior to submission of the inquiry. The university reserves the right to refuse to process a verification request where sufficient evidence of the consent of the student has not been provided.

Going back to Anita’s case, it is relatively straightforward to determine whether the information ‘relates to’ an ‘identified’ or an ‘identifiable’ person, given that John had given all the details pertaining to her.

If Anita has no connection with the university and the university is not bound by the regulation to protect her information, then they can straightaway declare that Anita was not a student of the university and therefore no degree was awarded.

Anita’s details cannot be personal data if she cannot be identified as a student of the university. However, if there are many individuals with the same name, then there can be grounds to withhold information. But in this case, John had submitted other details such as gender, address, work details, date of birth, phone number, etc. which are more than sufficient to identify the individual.

Let’s say Anita was a student and was in fact awarded a degree, her explicit public announcement of her qualification in the social media and her company website could have been used as consent to confirm the same.

But is the university checking to see if the information relates to an ‘identified’ or ‘identifiable’ person? Maybe not, as they prefer to play it safe fearing the draconian fines that can be imposed as penalties under GDPR for breach of data.

Background Screening Regulation in the USA

Background checks are also regulated by the Fair Credit Reporting Act (FCRA)  guidelines. FCRA requires the company to notify the candidate of any background check it wants to perform. The notice should clearly explain that the background checks will be used for hiring purposes. The employers should take a signed consent for performing the background check before initiating the process.

Video Source: Federal Trade Commission

The Family Educational Rights and Privacy Act (FERPA) in the USA

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law in the USA that protects the privacy of student education records.

The National Student Clearinghouse (NSC) which was founded in 1993 maintains records of more than 130 million students from 3,400 different colleges and universities. Any third party can contact the NSC directly to inquire about educational qualifications such as whether or not a particular student graduated from a particular University. However, as per FERPA, the third party such as the employer, or any requester, must have the student’s prior written consent for NSC to provide this information. Disclosing any education records without the student’s consent is strictly prohibited as per the FERPA Act. Similar to the GDPR, the students have an option to withdraw consent during the process.

The Personal Data Protection Bill, 2018 in India.

India has The Personal Data Protection Bill (2018) which has provisions similar to the GDPR and the FERPA.

The bill is likely to be passed by the Parliament soon. Under this bill, an exemption to obtaining the consent of the data principal for processing their data has been granted for certain employment-related matters subject to some conditions. But records of educational qualifications continue to be denied without the students’ consent although the Central Information Commission has held that educational qualifications are public documents and every member of the public can have access to it. There are few Universities that openly display the academic awards and achievements of their students on their website.

National Academic Depository (NAD) is an initiative of the Indian Government to provide an online storehouse of all academic awards. The NAD is a digital repository of all academic awards, viz. certificates, diplomas, degrees, mark-sheets, etc. Student consent is required to verify these academic records except in cases like verification sought by statutory bodies/constitutional bodies/investigating agencies during the course of any investigation.

It is important to exclude educational qualifications from consent clauses in data privacy acts. Whether it’s a parent wanting to verify the educational qualifications of his child’s school teacher or a consumer wanting to verify the credentials of a nutritionist, access to such information should be easy.



Also read: Are you sure your child’s teacher is not a fake?

The menace of fake degrees in our temples of learning



(The views expressed by the author in the article are his own)



Sign up for the newsletter below!

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

QuackTrack on Twitter

Trending Posts


Sign up for the newsletter below!