Finding the right candidates for your organisation can be challenge.
It takes time, patience and lots of effort to trawl through countless applications and sit through interviews to find someone who meets the role’s requirements.
But complying with your data protection obligations during the recruitment process can prove even trickier. With the introduction of the GDPR earlier this year, it’s important to keep its principles firmly in mind when collecting and using candidates’ personal data during the recruitment process.
Data protection in recruitment
You may be asking for their name, contact details, professional qualifications, employment history, criminal records, national and immigration status, health records… The list can seem never-ending.
Under the GDPR, employers are required to have a lawful basis to process data. In the case of recruitment, it will be that processing of this data is necessary for the purposes of employer’s legitimate interests. This data is needed to assess their suitability for the job, carry out all the relevant checks for the role and/or comply with legal requirements.
An individual’s medical data constitutes special category data (formerly known as sensitive data). If you are processing this type of data, you need a lawful basis to process this data, for example, to comply with legal obligations and a separate condition for processing special category data, for instance, processing is required for the purposes of carrying out obligations in the field of employment law. As a general rule, do not request information unless it is absolutely necessary for the recruitment process. Contact the ICO helpline for more information.
What are the key principles employers need to keep in mind?
Personal data must be:
- processed lawfully, fairly and in a transparent way
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- adequate and relevant to what is necessary in relation to the purposes for which they are processed
- accurate
- kept only for as necessary for the purposes for which the personal data is processed
- appropriately secured.
In addition, employers must comply with an accountability principle by being able to show how the above obligations have been complied with.
Employers are required by the GDPR to inform job candidates about the personal data they handle. This would generally be done through a privacy notice. A recruitment-specific privacy note should state who collects the data, what information is gathered, how it is collected, why it is gathered, how it is used and how it may be shared. This information should be provided before data is obtained, so could be sent with an application form or contained on the employer’s application section of their website.
What are candidates’ rights in regards to data protection?
Candidates have the right to:
The right of access, commonly known as subject access, allows candidates to make a request to access a copy of the personal data that is held by their employer. They should also be provided with further details, such as the purpose of the processing, the categories of personal data concerned and with whom the data may have been shared.
This is the right to correct any data that is inaccurate. If information has been passed to third parties, they must also be informed of the rectification as soon as possible.
They may be able to ask you to delete personal data in cases where you have no good reason to continue processing it.
Candidates may object to the processing of data in some cases. If, for example, the data is processed for direct marketing purposes, the processing of their data must stop upon a request being made.
To discuss your data protection obligations in more depth, contact the ICO helpline.
