Skip to main content

Data protection and recruitment

Contents

Our consultation on this draft guidance is now closed. The final version will be published in due course.

In detail

How do we use information about candidates fairly during the recruitment process?

It’s important that you collect and use information about candidates in ways that are fair and proportionate. You must:

  • be clear about what information you are collecting and how you will use it for recruitment purposes; and
  • only collect information that is relevant and necessary for recruitment. For example, you may need to ask candidates about their academic qualifications and previous work experience, but not whether they have dependants or not.

You should ensure that decision-makers are not presented with irrelevant information about the candidate before they make their decision.

Example

An organisation’s online application form automatically assigns a reference number to each candidate. Two staff members screen the application forms to remove irrelevant personal details, such as the candidate’s name, contact details and equality information. They then send the information about their qualifications and work experience to decision-makers for shortlisting.

It’s important to consider when to ask for certain information. You should:

  • avoid asking for personal information at the start of the recruitment process if you don’t need it until later on. For example, if you only need a copy of the successful candidate’s degree certificate, it’s not fair to ask all candidates to provide this; and
  • carefully consider whether it’s fair to get information about candidates from other sources. In most circumstances, it is only appropriate to vet the candidate who is offered the job.

In general, you should not use information:

  • in ways the candidate would not reasonably expect;
  • which you have not told them about; or
  • which may have adverse effects for them.

However, if you use a candidate’s information to decide not to shortlist them for a job, this is fair, reasonable, and not unexpected, even though they may view it as an adverse effect.

How do we use information about candidates lawfully during the recruitment process?

You must identify a lawful basis in order to lawfully collect and use information for recruitment purposes. There are six to choose from. You must identify the lawful basis that is appropriate for each type of processing activity you intend to do at each stage of the recruitment process, and which reflects the context and nature of the information.

In each case, you must determine your lawful basis before you begin your processing, and document it.

Using information lawfully also means that you don’t do anything with candidates’ recruitment information which would potentially breach other laws. For example, you must ensure that you do not breach a duty of confidence, other legislation, or regulations you are required to comply with.

Below we set out the lawful bases that are most likely to apply when you are using candidates’ information for recruitment purposes.

What lawful bases might apply if we want to process candidates’ information?

Below we’ve listed some of the lawful bases most relevant to recruitment, and explained when they may apply. We’ve also explained when it may not be appropriate to rely on a specific lawful basis for processing candidates’ information.

Legitimate interests

You can rely on this basis if the processing is necessary for your legitimate interests or the interests of a third party. However, you cannot rely on this basis if the need to protect the candidate’s interests, rights and freedoms outweighs those legitimate interests.

This basis is likely to be relevant in many recruitment contexts. For example:

  • collecting and reviewing information on application forms or CVs;
  • shortlisting candidates;
  • collecting new information at interview;
  • collecting information at assessments; and
  • verifying candidates.

You should carry out a legitimate interests assessment if you plan to rely on this basis.

Example

A charity has selected a number of candidates to interview for a public-facing role. As part of the selection process, it decides to do manual searches of candidates’ public social media profiles, to ensure that it does not employ someone whose behaviour is inconsistent with the values of the organisation, or would compromise the person’s ability to do their job.

The charity has informed candidates that public social media checks will be used as part of the recruitment and selection process. Candidates will be asked about their social media use at interview, and have an opportunity to answer questions or address concerns. The charity relies on legitimate interests to carry out this processing. It applies the three-part test:

  1. The charity has a legitimate interest in ensuring that a candidate’s public persona does not compromise its values or work, and that the person they employ is suitable and capable of doing the job.
  2. It is necessary to screen the candidate’s public social media use, as the role is public-facing and their public social media profile is relevant.
  3. The processing may carry high impacts as it may prevent someone from being employed. However, the charity depends on both public and private funding, and it considers the extent to which it needs to take these steps to safeguard its reputation and ensure that those it employs respect and uphold its values. The charity must decide whether, on balance, the checks are necessary and proportionate, taking into account all the circumstances.

You are not required to carry out a separate legitimate interests assessment for each candidate, as long as your reasons for processing information about each candidate are the same, and the information they provide is broadly similar in nature.

Example

A call centre receives a large number of applications for vacancies. It decides to shortlist candidates on the basis of legitimate interests. It carries out a general legitimate interests assessment for this processing and considers the following points:

  • The candidates have been asked to provide similar information about their qualifications, experience, and contact details.
  • It is necessary to shortlist candidates to carry out an effective recruitment exercise.
  • The call centre applies the same criteria in reviewing each application.
  • This process benefits candidates and the organisation.
  • The candidates have a right to know if they have been shortlisted or not.
  • Some candidates will be eliminated from the process and can no longer be considered for the role. However, this is a necessary and foreseeable part of the recruitment process. It will not prevent the eliminated candidates from applying for future roles with the organisation and therefore the impact is minimal.

However, this basis is unlikely to be relevant if you are using the information in ways the candidate might not reasonably expect or you are under a legal obligation to process the information.

Further reading

Consent

You can rely on a candidate’s consent to process their information if:

  • their consent is freely given and unambiguous;
  • they have complete control over their information;
  • their consent includes an affirmative action;
  • their consent is specific and granular; and
  • they can withdraw their consent at any time without detriment.

An affirmative action means that a candidate expressly consents to you using their information for a specified purpose. This means they need to ‘opt in’ to the processing. For example, by ticking a box to say they expressly agree to you using their information for a particular purpose. However, just because a candidate submits an application form for a vacancy, does not mean they have given their express consent to you using their information – even if you think it’s obvious they want to be considered for a particular vacancy.

Consent needs to be specific and granular, which means that you must obtain a candidate’s separate consent for each processing activity. Candidates may feel that they have no choice but to give you consent in order to be considered for a job. As there is likely to be an imbalance of power between the candidate and the employer or recruiter, consent is unlikely to be an appropriate lawful basis to use at most stages of the recruitment process.

You must not rely on consent unless you are confident that you can show that it was freely given.

You must not rely on consent in order to consider a candidate for multiple roles, or future roles, as their consent will not be specific, granular and informed. This means that it’s unlikely that recruitment agencies will be able to rely on a candidate’s consent for processing their personal information in such circumstances. Instead, recruitment agencies are most likely to rely on the legitimate interests basis.

You must make it easy for a person to withdraw their consent. If a person withdraws their consent, they will also withdraw from the recruitment process. This is a reasonable outcome, and not unexpected or unduly detrimental.

However, you should not rely on consent if you would process the information anyway, using another lawful basis, or if relying on consent would be misleading or unfair.

Example

A bank makes a conditional job offer subject to receiving the following from the candidate:

  • a clear criminal records check; and
  • evidence of their right to work in the UK.

It’s not appropriate for the bank to rely on consent for this vetting and screening. This is because it needs to carry out these checks before the candidate starts work. Even if the candidate refuses to give consent, the bank will use another lawful basis to process this information.

Contract

You can rely on this basis if using the candidate’s information is necessary:

  • to perform a contract of employment; or
  • because the candidate has asked you to take specific steps before entering into a contract of employment (eg they have accepted your job offer).

In the context of recruitment you can only rely on this basis once you have made the candidate a conditional or unconditional job offer and they have accepted your offer. This is the case, even if they have not yet entered into the contract. In this guidance, we refer to this as the ‘pre-contractual stage’.

Therefore, you should not rely on this basis at the earlier stages of the recruitment process to shortlist, test, or interview candidates.

As an employer, you may only rely on this basis if processing the candidate’s information is necessary to enter into a contract with them. This means it needs to be a targeted and proportionate means of achieving your objective in the recruitment process. This might be the case if you require evidence of a candidate’s academic or professional qualifications once you have made them a conditional offer of employment and they have accepted your offer.

Example

Following a successful interview, a candidate receives a provisional offer for a specialist role within an IT firm, which they accept. The firm relies on the contract lawful basis to obtain evidence of the candidate’s degree and professional IT qualifications at the pre-contractual stage, with the intention of entering into a contract of employment with them once these documents have been verified.

However, if the contract does not occur or the candidate changes their mind and no longer wishes to accept the job offer, you must immediately stop processing the information.

This lawful basis is unlikely to be appropriate for the majority of the recruitment and selection process, and you may need to carefully consider whether another lawful basis may be more appropriate in the circumstances.

As a recruiter, you may rely on this basis for processing if:

  • you have a contract in place with the candidate; and
  • that contract clearly sets out that you will process personal information for the purposes of fulfilling your obligations under the contract.

Example

A recruitment agency is used by an events company to find temporary festival staff. It identifies and shortlists relevant candidates for the temporary positions.

Although successful candidates undertake work for the events company, they are directly employed by the agency. The agency is responsible for recording the hours worked by each temporary staff member and paying their weekly wages.

Once all successful candidates accept the offer of temporary festival work, they enter into a temporary working contract with the agency. The agency relies on the contract lawful basis in order to fulfil the terms of their contract with candidates, which include paying each person directly for the hours they have worked for the events company.

Legal obligation

This basis applies if the processing is necessary for you to comply with the law. You can rely on this basis where you are processing a candidate’s information to comply with a common law or statutory obligation. You should have a clear basis in law for the processing.

It may be relevant when:

  • carrying out right to work checks on people before employing them, to ensure that they are legally entitled to work in the UK;
  • carrying out enhanced vetting checks on social workers; or
  • you need to recruit more people from ethnic minorities to comply with your statutory equality duties, provided that there is a legal basis for the processing (eg section 149 of the Equality Act 2010, the Fair Employment and Treatment (Northern Ireland) Order 1998, or section 75 of the Northern Ireland Act 1998)).

You must not rely on this basis if you have discretion over whether or not to carry out the processing, or there is another reasonable way to comply.

Public task

You may rely on this basis for recruitment if the processing is necessary for you to perform a task in the public interest or for your official functions. You must have a clear basis in law for the task or function.

Public task often relates to a public authority’s discretionary powers. It may be relevant where you need to recruit more people from ethnic minorities to comply with your statutory equality duties (although you can also rely on legal obligation – see the above section).

What special category conditions might apply?

You are likely to use special category information for recruitment in order to carry out:

  • reasonable adjustments at any stage of the process (eg designing an accessible application form, or providing an accessible testing or interview room);
  • equality monitoring;
  • pre-employment vetting (where required); and
  • fitness to work checks.

Special category data is personal information revealing or concerning:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data (where used for identification or authentication purposes);
  • health or disability;
  • sex life; or
  • sexual orientation.

It needs more protection because it is sensitive and the risks of harm to the person from its inappropriate disclosure or use are likely to be higher. In particular, if this impacts a person’s right to work or be considered for a specific vacancy.

If you are processing special category information, you must have a special category condition as well as a lawful basis. There are 10 conditions for processing special category data to choose from. For five of these, you must meet additional conditions and safeguards set out in Schedule 1 of the DPA 2018. You may also be required to carry out a data protection impact assessment (DPIA) before you begin.

Remember that you must determine your special category condition before you begin the processing. You must document your decision, along with your lawful basis.

It may also be possible for you to infer or guess details about a candidate that fall within the special categories of information during the recruitment process. For example, you may be able to infer a candidate’s race or ethnic background from the information they have provided to you within a job application form. Where such an inference is being made about a candidate, you are processing special category information. This is the case whether your inference about a candidate is correct or not. You must therefore have a special category condition, as well as a lawful basis for the processing.

In certain circumstances, you may capture special category information incidentally, when you’re not planning to collect it. If you are likely to capture special category information, you should identify a condition to cover this.

Appropriate policy document and safeguards

Some of the conditions require you to have an appropriate policy document in place and also apply the following safeguards to protect the person’s rights and freedoms:

  • Keep the appropriate policy document from the time you begin processing the personal information under this condition until six months after you stop using it (you must then destroy or anonymise the information).
  • For as long as you retain the appropriate policy document, you must review and update it, as required, and provide a copy to the ICO on request.

Below we discuss some of special category conditions most relevant to recruitment (and explain when you are required to have an appropriate policy document and safeguards):

Explicit consent

You can only rely on this condition if candidates have full control and choice over the processing. Explicit consent is not specifically defined in data protection law but is similar to the lawful basis of consent. To rely on this condition, you must ensure that:

  • candidates affirm their explicit consent in a clear statement (whether written or oral);
  • you have specified the nature of the special category information you are using (eg whether this relates to health, race, or a number of categories); and
  • it is separate from any other consents you seek.

You must give candidates a genuine choice to give you their special category information, with no negative impact (either actual or perceived) if they choose not to. It may be helpful to refer to the earlier section on consent which explains why consent has limited use in the recruitment process.

While there may be some limited circumstances where this condition can apply, you should not collect special category information in the course of the recruitment process unless you can show that it is absolutely necessary.

Example

A construction company needs to ensure that the people it employs are fit to work. However, it doesn’t need this information in order to shortlist, assess or interview candidates. In fact, the employer only requires this information from the successful candidate. Therefore it would be unreasonable to ask each candidate to supply medical evidence to prove they are fit to work during the recruitment process.

The employer explains on the application form that it will collect this information from the successful candidate after they have made them a conditional offer.

Employment, social security and social protection (if authorised by law)

You can rely on this condition if you need to process the information to comply with employment law or social security and social protection law. You must identify the legal obligation or right, either by referring to the specific legal provision or by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you could refer to a government website or industry guidance that explains generally applicable employment obligations or rights.

If you are relying on this condition, you must also meet the associated condition set out in Part 1 of Schedule 1 of the DPA 2018. This condition requires you to have an appropriate policy document and safeguards in place.

For example, if your right to work checks are likely to capture special category information, you must select a special category condition. You can rely on the Employment, social security and social protection condition as you are processing the information to fulfil an obligation set out in law.

This condition does not cover processing to meet purely contractual employment rights or obligations. For example, entering into an employment contract with the candidate.

Information manifestly made public by the candidate

Data protection law provides that you may use special category information about people if it is clear that the person has willingly and deliberately made this information publicly available. For example, by regularly blogging about it. However, just because a candidate has deliberately made their special category information publicly available does not mean it’s fair or lawful to use it for recruitment purposes. Candidates are unlikely to expect you to use their information in this way.

Example

A retailer checks a candidate’s public social media profile when deciding whether they are suitable for a marketing job. It discovers that the candidate has a disability. The candidate blogs frequently about living with their disability to try and improve understanding of their condition and help others.

As the candidate has clearly made this information about themselves public, this condition applies. However, the retailer must still comply with the data protection principles, and it would be unfair for them to use this information to decide if the candidate is suitable for the role. The candidate shared this information to help improve awareness about living with a disability and will not expect the retailer to use it to decide whether they are suitable for a vacancy.

You should not make assumptions about a person’s suitability for a particular role based on their special category information (eg their race, political views, sexual orientation, or gender). This is the case even if the person has deliberately made this information publicly available. However, if you consider this information to be significantly relevant to the role you are recruiting for, you can still use it as long as you do so fairly. For example, by giving candidates an opportunity to explain or comment at interview. For more details, see the chapter on Shortlisting, testing and interviewing candidates.

If you actively need to recruit people with protected characteristics to address unfairness or underrepresentation within your organisation, you should follow your existing recruitment processes. For example, by asking candidates to provide equality monitoring information. You should not rely on this condition for using special category information you find online to make recruitment decisions about candidates. This is the case even if the candidate has deliberately and clearly made this information publicly available. You may still be in breach of the fairness principle if you use information irresponsibly and where it is clearly inappropriate. For example, where it may have detrimental impacts or exploit a person at risk of disadvantage or harm.

Substantial public interest

This condition may be relevant if the processing is:

  • required on grounds of substantial public interest;
  • based on UK law; and
  • proportionate to the aim you want to achieve.

If you rely on this, you must have specific measures in place to safeguard the person’s fundamental rights and interests. This means you must have an appropriate policy document and safeguards in place. Read the earlier section of this guidance which gives more detail about putting in place an appropriate policy document and safeguards.

The relevant basis in UK law is set out in section 10(3) of the DPA 2018. This means you must meet one of 23 substantial public interest conditions set out in Schedule 1 (at paragraphs 6 to 28).

Any of these substantial public interest conditions may be relevant in the context of recruitment. However, two of them are particularly relevant, and we discuss them in more detail below. They are:

  • equality of opportunity or treatment; and
  • racial and ethnic diversity at a senior level in organisations.

Equality of opportunity or treatment

This condition is met if you’re using information that is necessary for monitoring equality of opportunity or treatment of candidates in the following categories:

  • people of different racial or ethnic origins;
  • people holding different religious or philosophical beliefs;
  • people with different states of physical or mental health; or
  • people of different sexual orientation.

You can only use this information for promoting or maintaining equality of opportunity between the above groups. This means that you can ask candidates to provide you with their special category information, as long as you tell them what you will use it for. For example, you could ask candidates to provide equality monitoring information in response to a recruitment campaign to ensure that your workplace is fair.

However, the equality of opportunity or treatment condition does not apply if:

  • your processing relates to decisions or measures about a particular person;
  • your processing is likely to cause substantial damage or substantial distress to any person; or
  • a person gives you notice not to use their information or to stop using their information within a reasonable time period.

    You must have another lawful basis and special category condition to be able to take action where, for example, your monitoring reveals discrimination about one person. In these circumstances, you may rely on the employment, social security and social protection condition instead.

Racial and ethnic diversity at a senior level in organisations

This condition allows you to use information about a person’s race or ethnicity, in particular circumstances, for the purpose of recruiting ethnically diverse people for senior roles. It applies only where the processing is:

  • about information concerning race or ethnicity;
  • carried out as part of a process of identifying suitable people to hold senior roles; and
  • necessary to promote or maintain racial or ethnic diversity at senior levels in organisations.

Senior roles can include:

  • senior managers (those who make organisational or managerial decisions);
  • directors;
  • company secretaries; or
  • partners.

This condition means that, where necessary, you may take into account information about a candidate’s race or ethnicity for the purpose of recruiting enough ethnically diverse people into senior roles, even if you don’t have their consent. However, you must not use this information for any other purpose.

Do we need to tell candidates about how we are using their information?

Data protection law requires transparency. Candidates have a right to be informed about how you use their information. This is called privacy information. You must provide them with certain details including:

  • your purposes for processing;
  • how long you will keep their information; and
  • who you will share it with.

You must provide privacy information at the time you collect personal information from the candidate. For example, in your job advert or in your application form.

You must provide candidates with privacy information within a reasonable period, and no later than within one month, if you obtain personal information about them from other sources.

If you receive anonymised information about a candidate from a recruiter, you must give them your privacy information before you collect their personal information.

If you receive information about a candidate but you do not wish to consider them for a vacancy (eg where a candidate or a recruitment agency provides a CV), you must delete their information as soon as possible.

You must provide these details even if you think it’s obvious how you will use the person’s information. You can satisfy this requirement by including a link to your privacy information.

Depending on the nature of the role, you may need to provide further information to candidates. For example:

  • where special checks are required (eg safeguarding, disclosure of spent convictions);
  • the circumstances in which it may be an offence to apply for certain roles (eg where a person is on the childrens’ barred list);
  • your verification and vetting procedures, including at what stage this will be carried out; or
  • whether and when you will seek information from third parties, in addition to references the candidate has provided.

You must tell candidates how long you will keep their information for, including whether you plan to keep it to consider them for future vacancies. If you’re not able to tell them this, you must at least be able to tell them what criteria you will use in deciding how long to keep their information for.

You should not use the person’s information in ways they would not reasonably expect. If you plan to use their information for reasons not linked to recruitment, you must inform them and have a lawful basis for your processing.

If you are using automated decision-making and profiling, there are additional rules about what privacy information you must provide. This is covered in our chapter on Automated decision-making and profiling for recruitment and selection.

What do we need to tell candidates if we are a recruiter?

In general, if employers use a recruiter to find potential candidates, the recruiter is responsible for advertising the vacancy, not the employer.

If you are a recruiter acting on behalf of an employer, you must provide your name and contact details, and explain how you use and disclose the personal information you receive, even if you consider this to be self-evident.

You are not required to provide the name and contact details of the employer at the beginning of the recruitment process. However, you must inform any candidates about the employer’s identity as soon as reasonably practicable, if their applications are to be pursued further by the employer. Or, at the latest, when the employer first obtains the personal information.

You must limit any candidate information you disclose to an employer to what is relevant to the recruitment decision being made at that particular stage in the process.

If you have not provided an employer’s identity to the candidate, you should only send anonymised candidate information to the employer.

Further reading

Do we have to explain our purpose for using candidates’ information?

Yes, you must be clear about what you will use candidates’ information for from the start. You should document and keep a record of this, and keep candidates informed.

It’s likely that your main purpose for collecting and using candidates’ information is to consider them for a specific vacancy. You should only collect the information you need for this purpose.

In some circumstances, you may wish to keep information about candidates to consider them for future vacancies. However, you should not keep information about candidates ‘just in case’ you might use it, or because you might decide to recruit more workers in future. You should only keep candidates’ information if this is fair. This means that you:

  • genuinely intend to use the information;
  • informed candidates about this; and
  • explained how long you will keep their information for.

Example

An accountancy firm receives a large number of applications for three vacancies. However, it plans to recruit more staff within the next six months, although it is not sure how many yet. The firm decides to keep information about the highest scoring candidates who have been unsuccessful this time because it is reasonably certain that it will recruit some or all of them in the future.

The firm documents this purpose as part of their business plan and explains this to candidates from the start of the recruitment exercise. It also explains that it will only keep the candidates’ information for six months.

Example

A recruitment agency advertises an administrative assistant job role on behalf of a client organisation. The agency receives a large number of applications.

Whilst the agency recommends the majority of these applications to the client, it considers that several candidates would be more suitable for other roles it is currently recruiting for.

If the agency wishes to use certain candidate applications for other roles, it must have a clear lawful basis for this processing when it initially collected this information. It must also include this lawful basis in its privacy notice.

Alternatively, the agency could seek the consent of candidates prior to additionally processing their applications for a different purpose.

However, if your purposes change over time, or you want to use the candidates’ information for a new purpose which you did not originally anticipate, you can only do this if:

  • your new purpose is compatible with your original recruitment purpose;
  • you get the candidate’s specific consent for the new purpose; or
  • you can point to a clear legal provision which requires or allows you to use the information in the public interest.

‘Compatible’ means that the new purpose is strongly linked or related in some way to your original purpose. However, the new purpose is not compatible with the original purpose if it is not related to your original purpose.

Example

A local authority wants to use the personal information it obtained during its recruitment exercise to research the types of candidates who make applications to it. This research will help the authority comply with its equality duties. This new purpose is fundamentally different and therefore not compatible with the original purpose. In addition, candidates are unlikely to expect the local authority to use their information in this way when they applied for a role.

If you are required to use candidates’ information to comply with a legal obligation, you must explain this in your privacy information. For example, if your organisation is part of a regulated sector, such as financial services or the solicitor’s profession, you may have a duty to report fraud (eg identity theft or money laundering).

Example

In the course of verifying a candidate’s information, a bank suspects that this particular candidate has provided false documents and is using another person’s identity. The bank has a legal obligation to report crimes of this nature to the police and has explained this in its privacy notice.

In most cases, you should not seek the consent of a candidate to use their recruitment information for a new purpose.

Further reading

How do we limit how much information we collect during the recruitment process?

You must not collect more information than you need to achieve your purpose. When collecting information for recruitment, you should tailor your application forms to ensure that candidates only provide the information you need. You could also make it clear what information you don’t need them to provide. See the section Information provided by candidates.

You should only collect information from candidates when you need to. This means that it’s better to avoid collecting information from all candidates at the start of the recruitment process, if you only need this information from the candidate you eventually appoint. For example, as a recruiter, you are unlikely to need copies of a candidate’s academic or professional qualifications until they have accepted a provisional job offer from the employer.

Further reading

How do we keep candidates’ information accurate and up-to-date?

You must take all reasonable steps to ensure the personal information you collect for recruitment purposes is not incorrect or misleading as to any matter of fact. You must keep candidates’ information accurate and up-to-date. For example, if a candidate’s contact details change, you must update your records. You could provide candidates with a contact on the application form in case they need to update their details.

If you discover that the information you have is incorrect or misleading, you must take steps to rectify or erase it as soon as possible. You must carefully consider any challenges made to the accuracy of the personal information. However, it may not be fair to change or erase a candidate’s information once they have provided it for recruitment purposes.

If a candidate mistakenly provides incorrect information about their work experience or qualifications, it may not be appropriate to rectify this information where this would impact the fairness of the recruitment process.

Example

A hospital is running a recruitment campaign for typists. It asks candidates to return their application forms by 8 March and makes it clear that late responses, or information provided after the closing date will not be considered.

The hospital receives a large number of responses by 8 March. On 10 March, one of the candidates contacts the hospital and informs it that some of the details they provided on their application form were inaccurate. In particular, they tell the hospital that they forgot to include their most recent typing qualification and used the wrong start date for their current job. They ask for these to be amended.

The hospital decides that it would be unfair to other candidates to allow someone to submit additional details in support of their application after the closing date. So it doesn’t include the candidate’s most recent typing qualification.

However, the hospital think it’s important that the panel know when the candidate started their current job. It attaches a note to the application form, stating that the candidate informed them on 10 March that they mistakenly entered the wrong date on the application form, and asked to correct this. The hospital are confident that this does not impact the overall fairness of the recruitment process.

If you obtain information from third-party sources, it’s important that you’re confident that these sources are reliable. You should ensure that candidates can explain or challenge any information that may not be accurate. For example, information you obtain about the candidate on their public social media profiles.

Further reading

How do we keep candidates’ information secure?

You must have appropriate organisational and technical measures in place to manage risk, and protect any personal information you collect during the recruitment and selection process. This means that you should:

  • assess the security risks;
  • collect information in a way that ensures security (eg by having a secure online application system or ensuring that candidates can securely send their information using encrypted emails);
  • restrict access to only those staff who require access to the information for recruitment and selection purposes, and ensure they are appropriately trained;
  • store hard copies of information in locked cabinets and electronic information in secure drives;
  • delete information securely and permanently in line with your retention and disposal schedule; and
  • anonymise information securely and permanently.

How long can we keep candidates’ information?

Please refer to the separate chapter in this guidance on Keeping recruitment records.

Do we need to make reasonable adjustments in the recruitment process?

Yes, you must ensure that each stage of your recruitment process is fully accessible for disabled people.

  • You must make your application forms available in different formats, such as large print, audio formats, email or Braille. However, if a person needs particular consideration given their circumstances, you must accommodate them.
  • If you invite candidates to attend a test, assessment centre or interview, you must ensure that the test itself and the systems used to access it, as well as the premises, are fully accessible. For example, by interviewing a person who uses a wheelchair in a wheelchair accessible room.
  • If there is a risk of discrimination, you must mitigate the risk or avoid using the software or algorithms. For example, an AI assessed video interview may discriminate against someone with a speech impairment. You should do an in-person interview instead.
  • What is a reasonable adjustment will depend on someone’s specific needs and you must be certain about exactly what reasonable adjustments are required. If you are unsure, you should communicate with the person to check (eg by speaking to them).

If someone thinks you have failed to make a reasonable adjustment, they can make a claim under the Equality Act 2010, the Disability Discrimination Act 1995 (NI) or the Fair Employment and Treatment (NI) Order 1998.

Further information about your legal obligations and how to make effective reasonable adjustments is available from the Equality and Human Rights Commission or from the Equality Commission for Northern Ireland.

Can we transfer candidates’ information internationally?

Data protection law restricts the transfer of personal information to countries based outside the UK or to international organisations.

If you want to transfer information about candidates to other branches of your organisation based outside of the UK, this will not be a restricted transfer. The transfer restrictions only apply if you are sending personal information outside your company or organisation. However, if you do want to send candidate information to your branches based outside of the UK, you must:

  • inform the candidate that you want to do this and explain why it is necessary; and
  • have a lawful basis for making the transfer and a condition for processing, if this involves special category information.

If you use a third-party processor based outside the UK, the rules on international transfers apply.

Further reading

When do we need to carry out a Data protection impact assessment (DPIA) for recruitment purposes?

DPIAs are an essential accountability tool. Completing a DPIA will help you to identify and minimise the risks of any recruitment activity you might plan.

You must carry out a DPIA before undertaking any processing likely to result in a high risk to candidates’ interests, rights and freedoms. For recruitment, this may include:

  • using systematic and extensive profiling with significant effects (eg using recruitment tools to profile candidates or predict behaviour);
  • using innovative technology (eg using automated decision-making or profiling or AI to help you make recruitment decisions);
  • processing special category or criminal offence information on a large scale; or
  • collecting personal information from sources other than the candidate, without providing them with privacy information.

It’s unlikely that you would process special category or criminal offence information on a large scale for recruitment purposes. You are only likely to need this information from the candidate who is appointed, so you should only collect this information from the successful candidate at the end of the process. You must minimise the amount of personal information you collect. However, you should consider doing a DPIA if you are processing criminal conviction information or other highly sensitive information, including about candidates at risk of disadvantage, even if this isn’t large-scale.

Even if there is no specific indication of likely high risk, you should do a DPIA for any new recruitment project which involves using personal information. While you are not required to do a DPIA for every recruitment campaign, you must do so if you have changed your processes in ways that are likely to result in a high risk to candidates. For example, if you decide to use AI software to help you make recruitment decisions about candidates. If your recruitment processes change, you must review and update your DPIA accordingly.

If you have carried out a DPIA which identifies high risk that you cannot reduce, you must consult us before going ahead with the processing.

Further reading

What rights do candidates have over their information?

Candidates can exercise certain rights over the information you hold about them. These are set out below:

Right of access

Candidates can make a subject access request (SAR) for their personal information. They are entitled to access and receive a copy of their information, including any outcomes or results relating to them at all stages of the recruitment process. If you receive a SAR you should consider the following:

  • Did you obtain the information directly from the candidate? This does not mean they already have a copy of it (eg they may request a copy of their online application form if they do not have this). However, it’s helpful to ask the candidate to clarify what information they want and to check whether they already have the information you hold.
  • Did you obtain information from other sources (and not directly from the candidate)? If so, you must provide this information unless you can rely on an exemption (eg if a reference has been provided in confidence, you are not required to disclose it).
  • Does the information relate to both the candidate making the request and other people (eg other candidates or your staff)? If so, you should carefully consider the circumstances in deciding whether you can disclose the information.

Right to rectification

You must rectify inaccurate personal information about candidates and complete any incomplete personal information you hold about them when you become aware of the inaccuracy, or they request this.

This right applies at any stage before, during or after the recruitment process. You should have systems in place which allow you to amend or change information at any stage in the recruitment process.

However, candidates are responsible for ensuring that the information they provide for recruitment purposes is accurate. If a candidate has provided inaccurate information on their application form and asks you to amend it, it may not be appropriate to comply if this would impact the fairness of the recruitment process. However, you must still consider any request for rectification carefully. For example, it may be appropriate to update a candidate’s contact details. See the above section, How do we keep candidates' information accurate and up-to-date?

If you have made a factual error, this is something that you must rectify. However, if the candidate disagrees with your opinion or decision, it is sufficient to note their concerns and the fact they disagree. If they wish to appeal any decision, they can use your normal procedure as outlined in your recruitment policy.

Example

A recruitment agency is asked to conduct initial stage candidate interviews on behalf of a client organisation. The agency agrees to make notes on each candidate interview and provide these to the client once all interviews are completed.

A candidate subsequently requests a copy of their interview notes from the agency. As they disagree with some of its contents, the candidate requests that the agency amends a section of the interview notes to reflect their recollection of events.

After reviewing the disputed section of the candidate’s interview notes, the agency is satisfied that the information is accurate. This is because the contents reflect the opinion of the interviewer at the time of writing.

The agency informs the candidate that they are satisfied the interview notes are accurate and that they will not be amending the information. However, the agency agrees to add a note to the record to explain where the candidate disagrees with its content as a matter of good practice.

Further reading

Right to erasure (the right to be forgotten)

People have a right to ask you to delete the information you hold about them. This is not an absolute right, and only applies in certain circumstances.

If a candidate asks you to erase certain information about them, this may mean that you can no longer consider them for the role they have applied for. You should explain this to them first and check if they are happy for you to proceed.

Further reading

Right to restrict processing

People have a right to restrict the processing of their information in certain circumstances. This means they can ask you to limit the use of their information, where they have a particular reason for wanting the restriction.

Example

A member of staff wants to apply for an internal vacancy. However, as they were involved in a personal dispute with an interview panelist’s personal assistant a number of months ago, they have asked that this person does not have access to their personal information.

Right to object

Candidates have a right to object to how you are using their information. This means they can ask you to stop using their information altogether. Candidates can only object to the processing if you are relying on either public task or legitimate interests to process their information.

You may refuse to comply with their request, although it’s unlikely that you would continue to process information for recruitment purposes if the candidate has objected. This may also mean that the candidate is withdrawn from the recruitment process.

Candidates have the absolute right to object to you using their information for direct marketing purposes, including profiling for these purposes. In the context of recruitment, this is likely to mean sending adverts directly to them as part of a recruitment campaign, or profiling people to decide if they get sent the advertising. If a person objects to this, you must stop using their information for these purposes.

Example

A recruitment agency has been tasked with advertising a number of IT specialist roles on behalf of a client organisation.

Using its current database of job seekers who have previously opted-in to receive job alerts, the agency searches for people with relevant IT experience using an automated filtering system. The agency uses this same system to group together and contact people that are deemed likely to be interested in or suitable for the roles.

In this case, the agency’s act of grouping people together using partly-automated means to make a decision about whether to send them the job advert constitutes profiling.

Over the coming days, the agency receives requests from a number of those people objecting to its use of their information for direct marketing purposes.

The agency must comply with their objections to its direct marketing. However, the agency should put their details onto a suppression list rather than deleting them. This will allow the agency to check against this list to avoid using their information for future direct marketing purposes (including profiling) in error.

The agency may still be able to retain certain information about these people if it has a lawful basis for doing so and this complies with its established retention policies and procedures. However, if upon review the agency no longer requires this information, it must fully anonymise it (eg if required for statistical purposes only) or securely delete it in line with its retention policy.

Rights related to automated decision-making including profiling

We explore in detail how these rights work in the context of recruitment and selection in the section Automated decision-making and profiling for recruitment and selection.