Data Protection Considerations in Recruitment

Job applicants are data subjects and provide personal data (and frequently provide special category data (previously sensitive personal data)) to employers who, as data controllers, process that data.

Recruitment processes therefore raise several questions about the operation of the data protection legislation:

  • How does the employer deal with the personal data it receives from job applicants?
  • How does the employer conduct equal opportunities monitoring as part of a recruitment exercise?
  • What does the employer do with the information it has received at the end of a recruitment exercise?

These points are considered by the Part 1 of the Information Commissioner’s Employment Practice Code, which sets out guidance on the discharge of an employer’s obligations under the DPA with regard to recruitment and selection.

It is understood that the ICO will revise the Employment Practices Code in light of the GDPR.

Privacy Notices

Job applicants should be made aware of how the employer will process the information they supply.

This can be done in a statement in the job advertisement or by a link to a privacy notice specifically addressing job applicants.

Medical information

This type of information about candidates gained during the recruitment process will include special category data.

In most cases, it will not be necessary to ask for medical information at the application stage (save to ask if the applicant is disabled, so reasonable adjustments to facilitate attendance at interview are considered if necessary).

It is usually only at the offer stage that medical information becomes relevant so it should not be requested before that point.

In addition, employers are prohibited from asking questions about an applicant’s health in certain circumstances.

Decide what to keep

When a successful applicant is appointed the employer will need to decide what information should be transferred to the employee’s personnel file. This should be limited to information relevant to the ongoing employment relationship.

In deciding exactly how long to keep records after a recruitment exercise, employers must balance their need to keep such records to justify selection decisions with their obligations under the data protection legislation to keep personal data for no longer than necessary.

EHRC Code: guidance on document retention

Paragraph 16.46 of the EHRC Code suggests that the records that employers should keep include:

  • The job advertisement, the job description and the person specification.
  • The application forms and any supporting documentation submitted by every candidate applying for the job.
  • Records of discussions and decisions by members of the selection panel; for example, on marking standards or interview questions.
  • Notes taken by each member of the panel during interviews.
  • Each panel member’s marks at each stage of the process; for example, on the application form, any selection tests and each interview question.
  • All correspondence with the candidates.