Data protection during recruitment: top 10 tips for managers

Data protection during recruitment: top 10 tips for managers


Author: Helen Burgess

Throughout the employment relationship employers process their employees' personal data. At every stage, employers' compliance with the Data Protection Act 1998 is critical, but all too easy to get wrong.

Complying with the Data Protection Act ("DPA") is increasingly a concern for employers as failure to do so brings the prospect of negative publicity and ultimately, significant fines.

In this article, we suggest 10 "Top Tips" for dealing with personal data during the recruitment process.


Personal data is defined as information which relates to a living person where that person can be identified from the data either alone or in conjunction with other data held by the employer. So, in the context of recruitment, a completed application form is likely to constitute personal data.

Some documents used during the recruitment process (e.g. medical questionnaires, interview notes) may also contain "sensitive personal data". This is information which relates, for example, to the person's race, religion, political views, health information etc. Such data, because of its nature, attracts a higher level of protection and must be handled with particular care.

The DPA requires all types of personal data to be processed fairly and lawfully in accordance with the requirements of the legislation.

Like employees, job applicants can make a "subject access request" under the DPA and are entitled to find out what personal data a prospective employer holds about them and to receive a copy. The prospective employer must also state the purposes for which the applicant's data is being processed and to whom the information may be disclosed.

Top 10 Tips for recruitment

With this in mind, how should employers process personal data received during the recruitment process to ensure that they are complying with the DPA?

  1. Explain in the job advertisement or application form how an applicant's personal data will be processed. Set out clearly if information such as CVs and application forms from unsuccessful applicants will be retained for future recruitment processes or shared within the wider group? Make sure applicants are given the opportunity to request that their details are removed altogether.
  2. Use appropriate security measures for online application forms / CVs submitted electronically so only those involved in the recruitment process and who need to see them can access them.
  3. Ensure any questions in application forms are relevant and tailored to the specific job. For example, only request information on criminal convictions where this is relevant and necessary for the role. Information collected should not be excessive.
  4. Do not request any sensitive personal data at the outset of the application process, unless this is used for the purpose of equal opportunities monitoring (see below). This information is not normally needed to reach a recruitment decision. If any sensitive personal data is requested keep this separate to any application form so that the interviewing manager does not have access to it.
  5. Where possible, anonymise any sensitive personal data gathered during the recruitment process, so that it ceases to fall under the definition of "personal data".
  6. Consider introducing equal opportunities monitoring for applicants. This is a requirement for public authorities, but may also be useful for private companies to demonstrate compliance with equality laws. Be aware that this information is likely to be sensitive personal data and so will require the applicant's consent to collect and use it (unless the information is anonymised). Make it clear that this information is not required for any ongoing employment relationship.
  7. Adopt a clear policy for retaining / disposing of unsuccessful or unsolicited applicants' CVs. If a letter of acknowledgment is sent to the applicant, let them know their application will be kept on file for a certain period of time and will not be disclosed to any third parties without their consent.
  8. Do not keep recruitment records for longer than 6 months after the recruitment exercise where possible. The statutory period during which an unsuccessful applicant may bring a discrimination claim arising from the recruitment process is 3 months but it is possible for this period to be extended by the tribunal in exceptional circumstances, hence the longer recommended retention period. In relation to successful applicants, do not retain information from their application form which has no bearing on the ongoing employment relationship.
  9. Delete any information about successful applicants' criminal convictions collected during the recruitment phase once this has been verified by the CRB. You only need to keep a record of whether a CRB check had a satisfactory or unsatisfactory result.
  10. Keep notes during the recruitment process (e.g. during interviews) but be aware that these notes may constitute personal data and would be disclosable to an applicant as part of a subject access request.