Can I Collect Personal Data From Job Candidates?

Hiring new candidates is a common and often vital business practice. However, it is essential to remember that collecting personal data from candidates requires careful consideration from a UK General Data Protection Regulation (UK GDPR) perspective. This fundamental data protection law sets out various strict rules on how organisations can collect, store, and use personal data, including data collected from job candidates. This article explores some critical considerations for businesses collecting personal information from candidates as part of their recruitment process. 

What is Personal Data and How Does it Apply to Candidates?

Personal data refers to any information that can identify an individual. For job applicants, this may include names, contact details, employment history, educational qualifications, personal data in references, personal statements, and other personal information in a CV or job application. 

Because employers collect a range of personal data from candidates, the UK GDPR rules apply. These legal rules apply to all prospective staff from whom you collect personal data, including potential employees, freelancers, or contractors. 

Which Data Protection Issues Should Your Business Consider When Collecting Candidate Data?

There are several issues to consider when collecting personal data from candidates. Here are a few key considerations:

Have You Considered a Lawful Basis for Processing Candidate Data?

Under UK GDPR, you need a lawful basis to collect and process personal data. There are various lawful bases under UK GDPR rules (including complying with a legal obligation, consent, or performing a contract).

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Your business must carefully consider, justify, and document which lawful grounds to rely upon to lawfully process a candidate’s data.

Have you provided Transparency Information to Candidates?

Transparency is a core principle of UK GDPR. Candidates must be informed about what data you collect, why you collect it, and how you will use it. You can present this information through a Candidate Privacy Notice.

A comprehensive Candidate Privacy Notice should include various information such as:

• the specific types of personal data your business collects from candidates (e.g., name, CV, references);
• the lawful basis for collecting the data and how you will use it (e.g., to determine whether they are suitable for a particular role); 
• the data retention period determines how long you will hold onto candidate data before deleting it; 
• who your business shares candidate personal data with (e.g., any external background check providers your business works with); and
• the rights of the candidates under UK GDPR.

The Candidate Privacy Notice must be provided to candidates promptly and clearly so that they can review this information before providing their information to your business. 

Have you Considered Candidate Rights Under UK GDPR?

Candidates have several rights regarding their data under UK GDPR, and you must be able to address these requests and have processes in place to handle them effectively.

Have You Considered the Principles of Data Minimisation and Security?

UK GDPR identifies fundamental principles your business must comply with when processing candidate data. Some important principles to observe include data minimisation and data security, which means you should:

• only collect data that is necessary for the recruitment process. Your business should refrain from collecting excessive personal details your business does not need, particularly at the initial application stage. For instance, asking for detailed personal history or sensitive information up front is generally unnecessary;

• protect and secure the data collected from candidates. Your business should carefully implement appropriate technical and organisational measures to secure data. This might include using secure storage solutions for physical documents and access controls to ensure that only authorised personnel can view or process candidate information; and

• only retain personal data for as long as necessary. Your data retention policies should clearly define and document how long you will maintain candidate information. You should not hold candidate data indefinitely, and you should have a transparent and UK GDPR-compliant data retention and deletion process.

These are some general vital issues to consider when collecting candidate data. However, your business should take legal advice if you require a thorough understanding of your obligations when collecting candidate personal data.

Key Takeaways

When collecting personal data from candidates, you should understand the importance of the UK GDPR rules and ensure your business complies with them. Candidates are data subjects, so your business must follow strict legal rules when processing certain information. For instance, you must provide candidates with privacy information and document a lawful basis for processing personal data. If you require support understanding the scope of your legal obligations, you should seek legal advice.

If you need advice on your legal obligations when collecting personal data from candidates, LegalVision’s experienced data privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions 

1. Is a candidate applying for a job considered a data subject under UK GDPR?

Yes.  Under the UK GDPR, anyone you collect personal data from during recruitment is considered a data subject. This includes information from potential employees, freelancers, or contractors. 

2. What is a Candidate Privacy Notice, and why is it important?

A Candidate Privacy Notice informs candidates about how your business collects, uses, and stores their data during recruitment. This document is important because transparency is a core principle of UK GDPR.