- The Basics
- Relationship with your Recruiters
- Sourcing your data – Temporary and Permanent Roles
- Sourcing your Data – Lawful Processing Grounds
- Privacy Notice for Candidates
- What should recruiters and potential employers contain in their Privacy Notices?
- Your Individual Rights
- The UK GDPR provides the following rights for individuals:
- Retention and Erasure of Recruitment Data
- Further information
Personal data is information that relates to you as an identifiable individual.
Anyone processing your data must be transparent and fair to you: your personal data should be relevant, accurate, kept for no longer than necessary, safe and secure.
You can help by using any tools available on websites or by staying in touch to keep your data up to date and complete your preferences as to how you want to be contacted.
A data controller needs a lawful reason to process your personal data.
UK GDPR Consent must be freely given, specific, informed and unambiguous.
You also have the right to withdraw consent at any time. A data controller must then use an alternate processing ground or erase the data.
Relationship with your Recruiters
Keep your recruiters up to date with your most current CV and details
Review your privacy settings across your social media and the job boards you use, making sure you are listed as available for roles.
In most recruitment relationships the different parties in the supply chain will all be data controllers – they all hold your data for different purposes and are not acting as subcontractors. For example, an umbrella company is your employer.
If you are an agency worker or a professional contractor you will not be the client’s data processor in a standard recruitment business relationship. You are processing their personal data on their computer systems complying with
their policies and procedures. They will not transfer data to you for you to process on their behalf
Sourcing your data – Temporary and Permanent Roles
Recruiters obtain your personal data from a number of sources:
- Direct Application – you may apply for a role or submit personal data via a job board, website or email.
- CV downloaded from a Job board – the ICO has clarified that a recruiter or potential employer can download a CV
from a job board and contact you as you have made clear by being on the site you are interested in job roles.
- Your profile downloaded from LinkedIn or other social media – recruiters and employers can contact an individual may be interested in a job on social media and professional networking sites e.g. LinkedIn
- If a recruiter or employer is not clear whether you are interested in finding a role they may ask for your permission to contact you about roles that may be of interest to you
Sourcing your Data – Lawful Processing Grounds
Recruiters need to rely on a lawful processing ground for all uses of personal data.
The most relevant to the recruitment sector are:
Intention to form a contract:
This can be relied on by the recruiter if you have (or are taking steps with a view to entering into) a contract with a client e.g. you are going through an interview process
Legitimate Business Interests:
Legitimate interests are the most flexible lawful basis for processing. These can include a recruiter’s commercial interests as they require an accurate and current database in order to introduce you to clients for roles quickly. It is likely in this situation that the lawful basis for processing for the recruitment company and their clients is legitimate interests. However, they must consider potential impacts on your rights as well.
“Just in time” consent when you are introduced to clients and permissions to represent are sensible uses of
Privacy Notice for Candidates
Recruiters should provide this to you at the time you choose to provide them with your personal data e.g. there could be a link on their website. If your personal data is taken from a publicly available source or obtained from a third party then notice must be provided within a reasonable time.
This is the earliest of:
• First communication with you;
• Or, if the personal data is to be disclosed to someone else before it is disclosed;
• Or, one calendar month from the date you obtained personal data.
What should recruiters and potential employers contain in their Privacy Notices?
They should explain who they are and provide a contact for you to get in touch about data privacy.
It should include the type of information collected: e.g. CV, application form, references.
Clients may also collect other personal data such as interview notes, psychology test results.
Special categories of Sensitive data –equal opportunities information, disability information, health and information on criminal convictions if appropriate to the role.
Third parties who supply information: recruiters, credit reference agencies, DBS, background checkers, referees.
They should explain how they intend to use the information.
They should explain the lawful processing grounds they are relying on for different types of processing.
They should confirm the adequacy of their data security – how they retain special categories of data and highly confidential information such as your bank details.
Retention – how long they will keep your data for.
Your Individual Rights
The UK GDPR provides the following rights for individuals:
The right to be informed: about the collection and use of your personal data. This will usually done via a privacy notice when data is collected.
The right of access: you have the right to access your personal data, this is called a Subject Access Request.
The right to rectification: you are entitled to have personal data corrected if it is inaccurate or incomplete.
The right to erasure: You can request the deletion or removal of personal data where there is no compelling reason for its continued processing however the right to erasure does not provide an absolute ‘right to be forgotten’. The recruitment business may defend their right to retain the data on the basis it is still necessary for the purpose it was originally collected or there is an overriding legitimate interest to continue the processing.
The right to data portability: this allows you to obtain and reuse your personal data for your own purposes across different services. This right only applies to processing by automated means and it is unlikely this right will apply in a recruitment situation
The right to object: you can object to processing based on legitimate business interests and marketing. The recruitment business must deal with an objection to processing for direct marketing at any time and at no cost.
Rights in relation to automated decision making and profiling: the recruitment business undertakes automated decision making and/or profiling you have the right not to be subject to an automated decision and be able to obtain human intervention, express your point of view and obtain an explanation of the decision and challenge it.
Retention and Erasure of Recruitment Data
Under the Conduct of Employment Agencies and Employment Businesses Regulations, 2003 recruiters must retain evidence of an introduction or supply for at least one year from the last activity e.g. interview or engagement.
Once an interview or engagement has taken place then it is legitimate for a recruiter to hold information on that commercial transaction for the limitation period of a contract claim i.e. 6 years, although they may choose not to do so.
However, recruiters can decide their own retention periods as long as they have justification.
If you want any clarification on how a recruitment business is processing your data ensure you speak to the recruitment business.